Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM - Limit the connections

Hi,

I have a FWSM version 3.1. How can I limit the maximun number of connections of a specific internal IP?.

The limit of connections is fixed in the context, but I want to apply the limit to a internal IP. For example: 100 connections.

Thanks!

6 REPLIES
Cisco Employee

Re: FWSM - Limit the connections

Hello,

Would this work for you?

Per

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/s8.htm#wp2678544

static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq]

[tcp] max_conns

Specifies the maximum number of simultaneous TCP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

Hope this helps! If so, please rate.

New Member

Re: FWSM - Limit the connections

Hi,

this solution is for the entire subnet, but I want to limit the maximun number of simultaneous connections per each IP of this subnet. It is possible?.

Thanks!

Cisco Employee

Re: FWSM - Limit the connections

If you want to limit the maximun number of simultaneous connections for one IP, just limit the static to one host. I suspect the verbage was generic when drafted, hence the word subnet.

Re: FWSM - Limit the connections

Hi .. can you actually confirm this does not limit the amount of connections for the entire subnet .. I have been wondering about this for a while ..

" max_conns Specifies the maximum number of simultaneous TCP and UDP connections for the

entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn

command.)

Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface. If

you set max_conns for outside NAT, the max_conns option is ignored. "

Cisco Employee

Re: FWSM - Limit the connections

Hello,

I dug around internally and it appears this limit should be for the number of sessions from one source address if a netmask of 255.255.255.255 is used.

Both NAT and STATIC have this option.

From the FWSM command reference:

the static command:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/s8.htm#wp2678544

the nat command:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/no.htm#wp1585941

Hope this helps! If so, please rate. Also, if you test, please respond with results.

Thanks!

Re: FWSM - Limit the connections

OK .. so it means that the connection limit applies depending on the subnet mask been used on the static or nat command.

For example is used 255.255.255.255 on the static / nat command then the connection limit applied to simulraneous connections from one host.

if the subnet mask is 255.255.255.0 on the static / nat then the connection limit will apply to the whole subnet /24.

Thanks !!!

212
Views
0
Helpful
6
Replies
CreatePlease to create content