Re: UDP Connection Limit Cisco PIX static command

csiegagpb · ‎02-23-2006

Hi there,

I am trying to limit UDP connections initiated from a higher level sec int to a lower level sec int, aka my internal users to the internet.

I'm using static mapping as so:

static (inside,outside) x.24.110.26 192.168.1.110 netmask 255.255.255.255 50 10

Thing is I can't seem to get the UDP connection limit emphasized. I do get the TCP limit working as it shows bellow but no luck for UDP.

I'm aware UDP is connectionless but the cisco docs for the static command clearly says:

"Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet"

Could anyone shed some light on this?

Using a Cisco PIX Firewall 506 Unlimited License OS Version 6.3(5)

I appreciate it.

Aless

Gsurfnet

pix6# sh local-host 192.168.1.110

Interface inside: 345 active, 404 maximum active, 0 denied

local host: <192.168.1.110>,

TCP connection count/limit = 50/50

TCP embryonic count = 2

TCP intercept watermark = 10

UDP connection count/limit = 342/unlimited

AAA:

Xlate(s):

Global x.24.110.26 Local 192.168.1.110

mpalardy · ‎02-23-2006

One thing I'm not sure of: Your internal user will access the internet over nat/global statements. The configured static allows traffic from the internet to the inside host. Is this really what you want?

Check the output from "show conn local 192.168.1.110 det". The flags on connections will indicate connection type and if you have something to correct.

Also one workaround would be to reduce the timeout allowed for udp conns.

Mike

csiegagpb · ‎02-26-2006

Hello Mike,

My goal is to limit the number of UDP threads for each one of my inside users. Since the only way to limit the number of simultaneous connections on

the PIX is through the static command, I have created static mappings for each one of my users. IP addresses aren't an issue here 'cause I got plenty.

If I use a nat command, the limit will be for the whole subnet and not for individual hosts in that subnet.

Changing the global timeout values won't solve my problem. Users with P2P software are killing me with over 250 UDP entries each.....

PLEASE HELP!!!!

riteshsynchro · ‎02-26-2006

If you are having problems with P2P users, you would probably want to invest in something that can filter that kind of traffic. Products like Websense will integrate with the PIX firewall and block access to P2P sites, and the Websense network agent will be able to block or throttle P2P traffic.

The PIX firewall is mainly designed to be a firewall and not a content filter, which is why Cisco partners with companies like Websense and N2H2.

csiegagpb · ‎02-26-2006

I do have a traffic shaper in place. A great product named AstroFlow. I don't need content filtering but proper connection management for TCP and UDP.

Even though P2P is shaped, there are hundreds of UDP "connections" per user and that's what I am trying to get control of. PIX is limiting TCP connections on a per user basis fine but I can't seem to prevent my state table of filling up with UDP entries.

riteshsynchro · ‎02-26-2006

I have some bad news for you.

You cannot do this in 6.x. You need version 7.x. Unfortunately, the 7.x branch is not (yet) supported on the PIX 506.

With PIX 7.x static statements, you can specify "udp" with "udp_max_conns".

The best you can hope to achieve with 6.x is what you have already done, and perhaps a bit more by decreasing the udp idle timer (timeout command).

csiegagpb · ‎02-26-2006

Thanks Rite.

You have written what I was afraid of reading!!

Case closed!!