We've got a security server running Retina that recently ran away and opened up tens of thousands of connections through our Pix 515E to devices it's supposed to scan. This caused memory on the PIX to run low, caused dropped connections on other sessions running through the pix, and generally made life unhappy. Quick solution was to unplug the server from the net, run a clear xlate, and put in a new access list with a line "deny ip host <server ip> any" in it to prevent it from reaching out again.
What I'm wondering is:
Is there a way to limit the number of TCP connections that particular host can initiate through the firewall?
Is there a way to clear ONLY the connections that host has opened, rather than the "clear xlate" command which kills ALL the sessions running through the firewall? The SA's and DBA's get annoyed when all their SSH sessions drop.
On PiX running 6.3, you can do it using the options max_conns /emb_limit of the static command.
But pix6.3 does not verify the TCP checksum of packets transiting through the firewall. It holds the half-open TCP connection open until the embryonic timeout in 2mins.
Because the firewall is holding a connection open, any additional packets with the same protocol, IP addresses, and ports will be treated as part of the existing half-open connection. In this case, a legitimate SYN packet following the malformed SYN will be discarded because it is outside of the window of acceptable sequence numbers established by the malformed packet.
However, if you upgrade to 7.0 or above then you can try something like this to check for tcp connections coming on any interface of the PIX.
An upgrade to 7.x or later is not an option at this time. And I don't know if the static command will work - keep in mind that the host here is INSIDE one firewall, reaching out to hosts outside that firewall and inside another. I'm trying to stop it at the inside interface of the first firewall.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...