cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5068
Views
20
Helpful
13
Replies

How to set a maximum download size per connection in the ASA?

jmprats
Level 4
Level 4

Hi, I would like to avoid big downloads so I want to set a maximum download file size. How can I set the limit MB allowed per connection in the ASA?

Thanks

1 Accepted Solution

Accepted Solutions

Hello,

Yes, you will be able to do that using the Modular Policy Framework (MPF)

access-list test permit tcp host x.x.x.x host y.y.y.y eq 80

class-map test

match access-list test

policy-map global_policy

class test

set connection timeout x.x.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

13 Replies 13

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jmprats,

Being honest to you I know we can configure timeouts for particular connections or the maximun amount of connections per host.

We can also configure the maximum bandwitht that a particular traffic pattern can have but I am almost sure there is no option to limit a connection based on the download size of a connection ( ASA speaking)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

So, I suppose I will have to work with connections timeouts. Can I set different timeouts for differents source ip address?

Hello,

Yes, you will be able to do that using the Modular Policy Framework (MPF)

access-list test permit tcp host x.x.x.x host y.y.y.y eq 80

class-map test

match access-list test

policy-map global_policy

class test

set connection timeout x.x.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Is it possible to set connection tieout in the newer versions (ie 8.4, 9.1)? Not idle or tcp-embriotic or smth, but timeout for regular legitimate connections. Just as on example in previos post. In newer version i don't see such option. Any clue?

Are we talking about a "timeout" for normal and working connections?

The function of the current timeouts is to free resources on the unit and provide protection.

I'm not sure u answered my question. Look at previos post by jcarvaja. See the commands? (particulary

set connection timeout x.x.). Is there a way to achieve this in newer versions. I.e. not set conection timeout idle/half-open/embriotic, but just set connection timeout without any other keywords.

Hello Andrew,

I got your question, but I think we might be confused here, I did not specify something after the timeout but when you configure it you will see you have the same options

Here is the configuration options on 8.2.5

ciscoasa(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.

Now on an ASA running 8.4.4(9)

WPLG-ASA-1(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.

So as you can see same options, no change at all

Hope that I could help

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I always thought that it was possible to generaly limit conn timeout for specific set of traffic (), but, as it turned out it can't be done. Interesting)

Hello Andrew,

yeahp

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

And back to the original question. Is there any way to monitor who is uploading or downloading?

I can monitor connection MBytes, but I cannot see which direction they are (upload or download).

Thanks

Hello,

Why dont you use Netflow on the ASA...

Of course you will need a software to be able to understand the netflow traffic from the ASA ( Records and templates), I would even recommend you to go with the PRTG software, a beauty that is for free ( just to 1 to 10 devices) and it will show you that stuff

Go ahead and get PRTG and enable SNMP on the ASA,

Cheers mate

Julio Carvajal Segura

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks, ok I will try

Hey my pleasure,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: