Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MPF configuration..

Hi,

In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..

#class-map tcp_syn

#match port tcp eq 80

#exit

#policy-map tcpmap

#class tcp_syn

#set connection conn-max 100

#set connection embryonic-conn-max 200

#set connection per-client-embryonic-max 10

#set connection per-client-max 5

#set connection timeout embryonic 0:0:45

#set connection timeout half-closed 0:25:0

#set connection timeout tcp 2:0:0

#exit

#service-policy tcpmap global

** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.

18 REPLIES

Re: MPF configuration..

Hi,

You can apply only one Global policy, which will do inspection on all interfaces.

You can either modify the global policy or create your own policy and apply globally or to one or more interfaces.

New Member

Re: MPF configuration..

Thanks!!

Can I do like this..

Configure a separate class-map (tcp_syn) and add it under the policy-map global_policy (default).

class-map tcp_syn

match port tcp eq 80

policy-map global_policy

class tcp_syn

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-max 5

set connection timeout embryonic 0:0:45

set connection timeout tcp 2:0:0

service-policy tcpmap global

Please assist..

Re: MPF configuration..

u cam have one global policy

and on policy per interface

the interface policy override the glbal one if overlaped

in ur question the conifg ok

but i see u put ur config under the default global policy

why u applying another on??

once u put the config under the global_policy which is the defaul one it will be automaticly applied globaly

good luck

please if helpful rate

Re: MPF configuration..

Yes you can add new class-map.

But don't add this "service-policy tcpmap global"

You can have only one policy in the global.

service-policy global_policy global

New Member

Re: MPF configuration..

Please find my configuration...

Lines started with * are newly added.

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

*class-map tcp_syn

*match port tcp eq 80

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 100

*set connection embryonic-conn-max 200

*set connection per-client-embryonic-max 10

*set connection per-client-max 5

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

It's ok na??

Re: MPF configuration..

sounds good

i mean the polices application

good luck

Re: MPF configuration..

this seems ok.

Just for confirmation can you post the last part of the running-config

- starting from " policy-map global_policy"

till the statement "service-policy IM_BLOCK interface outside "

New Member

Re: MPF configuration..

My current MPF configuration..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add (*) these lines..

*class-map tcp_syn

*match port tcp eq 80

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 300

*set connection embryonic-conn-max 400

*set connection per-client-embryonic-max 10

*set connection per-client-max 15

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

Re: MPF configuration..

Hi Somnath,

Do it like this..

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match port tcp eq 80

myPIX(config-cmap)# exit

myPIX(config)# policy-map global_policy

pixfirewall(config-pmap)# class tcp_syn

pixfirewall(config-pmap-c)# set connection conn-max 100

..... and so on....

New Member

Re: MPF configuration..

Hi,

One more help,If I configure like the above one it will be applicable for only port 80.

I want to connection limit for all traffic.

The below configuration is ok or not?

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match any

myPIX(config-cmap)# exit

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 700

*set connection embryonic-conn-max 1200

*set connection per-client-embryonic-max 20

*set connection per-client-max 10

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

The parameter mentioned above like

conn-max 700,

embryonic-conn-max 1200,

per-client-embryonic-max 20,

per-client-max 10

are ok or not?

Re: MPF configuration..

Only a small change....

policy-map global_policy

class tcp_syn

set connection conn-max 700

..... and so on.

If you do as per below your purpose is not solved.

policy-map global_policy

class inspection_default

class-map tcp_syn

set connection conn-max 700

.......

New Member

Re: MPF configuration..

I want to configure that one to prevent Dos attack (TCP SYN).

Is it possible by limiting port 80 traffic or I have to go for any.

Re: MPF configuration..

yes, do match any

New Member

Re: MPF configuration..

Thanks! I got it.

New Member

Re: MPF configuration..

sorry one more confusion..

if I configure like that then it will be applicable for all traffic or individual.

I want to meant it will limit total connection to 900 or each connection (FTP-900,HTTP-900 like that

) to 900.

class-map tcp_syn

match any

policy-map global_policy

class inspection_default

class tcp_syn

set connection conn-max 900

set connection embryonic-conn-max 300

set connection per-client-embryonic-max 10

Re: MPF configuration..

because in ur class-map

u have match any

then this will consider the total amount of connections as 900

if u want to restrect only one typ lets say http

do :

access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 80

access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 443

then

make new class

class-map http-map

match access-group 100

then

apply it the same way u have don above

New Member

Re: MPF configuration..

thanks

New Member

Re: MPF configuration..

thanks!

178
Views
8
Helpful
18
Replies