Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to set a maximum download size per connection in the ASA?

Hi, I would like to avoid big downloads so I want to set a maximum download file size. How can I set the limit MB allowed per connection in the ASA?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

How to set a maximum download size per connection in the ASA?

Hello,

Yes, you will be able to do that using the Modular Policy Framework (MPF)

access-list test permit tcp host x.x.x.x host y.y.y.y eq 80

class-map test

match access-list test

policy-map global_policy

class test

set connection timeout x.x.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
13 REPLIES

How to set a maximum download size per connection in the ASA?

Hello Jmprats,

Being honest to you I know we can configure timeouts for particular connections or the maximun amount of connections per host.

We can also configure the maximum bandwitht that a particular traffic pattern can have but I am almost sure there is no option to limit a connection based on the download size of a connection ( ASA speaking)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

How to set a maximum download size per connection in the ASA?

So, I suppose I will have to work with connections timeouts. Can I set different timeouts for differents source ip address?

How to set a maximum download size per connection in the ASA?

Hello,

Yes, you will be able to do that using the Modular Policy Framework (MPF)

access-list test permit tcp host x.x.x.x host y.y.y.y eq 80

class-map test

match access-list test

policy-map global_policy

class test

set connection timeout x.x.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

How to set a maximum download size per connection in the ASA?

Is it possible to set connection tieout in the newer versions (ie 8.4, 9.1)? Not idle or tcp-embriotic or smth, but timeout for regular legitimate connections. Just as on example in previos post. In newer version i don't see such option. Any clue?

Silver

How to set a maximum download size per connection in the ASA?

Are we talking about a "timeout" for normal and working connections?

The function of the current timeouts is to free resources on the unit and provide protection.

How to set a maximum download size per connection in the ASA?

I'm not sure u answered my question. Look at previos post by jcarvaja. See the commands? (particulary

set connection timeout x.x.). Is there a way to achieve this in newer versions. I.e. not set conection timeout idle/half-open/embriotic, but just set connection timeout without any other keywords.

Re: How to set a maximum download size per connection in the ASA

Hello Andrew,

I got your question, but I think we might be confused here, I did not specify something after the timeout but when you configure it you will see you have the same options

Here is the configuration options on 8.2.5

ciscoasa(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.

Now on an ASA running 8.4.4(9)

WPLG-ASA-1(config-pmap-c)# set connection timeout ?

mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.

So as you can see same options, no change at all

Hope that I could help

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

How to set a maximum download size per connection in the ASA?

I always thought that it was possible to generaly limit conn timeout for specific set of traffic (), but, as it turned out it can't be done. Interesting)

How to set a maximum download size per connection in the ASA?

Hello Andrew,

yeahp

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

How to set a maximum download size per connection in the ASA?

And back to the original question. Is there any way to monitor who is uploading or downloading?

I can monitor connection MBytes, but I cannot see which direction they are (upload or download).

Thanks

How to set a maximum download size per connection in the ASA?

Hello,

Why dont you use Netflow on the ASA...

Of course you will need a software to be able to understand the netflow traffic from the ASA ( Records and templates), I would even recommend you to go with the PRTG software, a beauty that is for free ( just to 1 to 10 devices) and it will show you that stuff

Go ahead and get PRTG and enable SNMP on the ASA,

Cheers mate

Julio Carvajal Segura

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

How to set a maximum download size per connection in the ASA?

Thanks, ok I will try

How to set a maximum download size per connection in the ASA?

Hey my pleasure,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1782
Views
20
Helpful
13
Replies
CreatePlease to create content