Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
2
Replies

Limiting established TCP sessions

thegrave2000
Level 1
Level 1

‎10-04-2007 01:43 PM - edited ‎03-11-2019 04:21 AM

Hi everyone,

I've got an extremely stupid question - is there an IOS feature which I could use to limit the number of simultaneous established TCP sessions towards a single host? Sounds like stateful inspection but haven't seen such a thing there. TCP Intercept can't work here as it monitors half-open connections and the number of SYN packets received in the last minute. I ran out of ideas, can you help?

Best Regards,

Stefan Stefanov

Labels:
0 Helpful
2 Replies 2

PAUL GILBERT ARIAS
Level 5
Level 5

‎10-04-2007 03:59 PM

Hello,

On the router I am not sure if there is an option to specify the amount of established connection per host but I was able to find a command for the IOS firewall feature set that allows certain amount of half open connections per host.

The command is:

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfcbac.html#wp1018124

On the pix you can use an option on the NAT statement where you define the max number of connections allowed.

Check the following link for the NAT command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]

max_conns:

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

You have the same option on the static command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

0 Helpful

thegrave2000
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎10-05-2007 03:54 AM

The first thing you pointed is CBAC which implements TCP Intercept which monitors only half-open connections. I know about the ASA solution but only have a 1812 router in customer premises so I'm trying to solve this with IOS. Now something else came to my mind - SLB provides a feature limiting the number of active connections:

Router(config-slb-real)# maxconns maximum-number

Specifies the maximum number of active connections allowed on the real server at one time.

The only problem is that SLB is not available for 1812:) Looking for other options now...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card