I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.
I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list limit-conns extended permit ip 10.4.5.0 255.255.255.0 any
access-list limit-conns extended deny ip any any
match access-list limit-conns
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
set connection per-client-max 75
service-policy global_policy global
It seems to be working, because from time-to-time I'll see the following messages in the syslog:
Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from 10.4.5.183/2351 to 188.8.131.52/80 on interface inside
I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times.
From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks.
do a "show conn det | inc " and see the FLAGS of the connections. (only valid for TCP). You will find some are initiated from the other side. If these hosts are on the inside, the outside-initated connections will have UIOB flag (B = Initated from Outside)
Hello, Thanks for the reply. I have read the documentation and I'm glad I understand it the same way you do. Here's an example of what I'm looking at. THis host has 155 connections open, yet the flags do not indicate that the connection is outside-back
See most of these connections have the FIN bit set (fF). They are just waiting to be removed I guess. I don't know what flags they check. Perhaps someone from the ASA dev/TAC team can shed light on this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :