Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Limiting established TCP sessions

Hi everyone,

I've got an extremely stupid question - is there an IOS feature which I could use to limit the number of simultaneous established TCP sessions towards a single host? Sounds like stateful inspection but haven't seen such a thing there. TCP Intercept can't work here as it monitors half-open connections and the number of SYN packets received in the last minute. I ran out of ideas, can you help?

Best Regards,

Stefan Stefanov

2 REPLIES

Re: Limiting established TCP sessions

Hello,

On the router I am not sure if there is an option to specify the amount of established connection per host but I was able to find a command for the IOS firewall feature set that allows certain amount of half open connections per host.

The command is:

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfcbac.html#wp1018124

On the pix you can use an option on the NAT statement where you define the max number of connections allowed.

Check the following link for the NAT command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]

max_conns:

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

You have the same option on the static command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

New Member

Re: Limiting established TCP sessions

The first thing you pointed is CBAC which implements TCP Intercept which monitors only half-open connections. I know about the ASA solution but only have a 1812 router in customer premises so I'm trying to solve this with IOS. Now something else came to my mind - SLB provides a feature limiting the number of active connections:

Router(config-slb-real)# maxconns maximum-number

Specifies the maximum number of active connections allowed on the real server at one time.

The only problem is that SLB is not available for 1812:) Looking for other options now...

307
Views
0
Helpful
2
Replies
CreatePlease to create content