Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Limit the number of management sessions on Cisco ASA

 

 

Introduction

This document provides a sample configuration on how to control the maximum number of management sessions to the Cisco ASA.

 

Prerequisites

Requirements

There are no specific requirements for this document.

 

Components Used

Cisco 5500 series Adaptive Security Appliance device running software release 8.0 and later

 

Configure

 

This section describes the information you need to configure the features described in this document.

 

Configurations

 

This could be achieved using the MPF architecture of Cisco ASA. From Cisco ASA software release 8.0 onwards, the "set connection" option is introduced to control the number of management traffic flows to Cisco ASA. In this document, it is shown on how to specify the maximum number for telnet sessions.

 

  • Identify the traffic as telnet and associate this with "class-map type management" command.
  • Specify the maximum telnet connection limit as one, using the policy-map command.
  • Apply the actions on the inside interface using the service-policy command.

 

 

In the below shown configuration snippet, it is shown on how to use the MPF to limit the number of telnet sessions to only one.

 

 

Cisco ASA

class-map type management MGMT_CMAP

match port tcp eq telnet

!

policy-map MGMT_PMAP

class MGMT_CMAP

  set connection conn-max 1

!

service-policy MGMT_PMAP interface inside

!

 

 

Verify

 

When you try multiple simultaneous telnet sessions to the Cisco ASA, only one session will work fine and the other session will be dropped by Cisco ASA. This could be verified using the following commands.

 

ciscoasa(config)# show service-policy

 

Interface inside:

 

  Service-policy: MGMT_PMAP

 

    Class-map: MGMT_CMAP

 

      Set connection policy: conn-max 1

 

        current conns 1, drop 3

 

ciscoasa(config)# show service-policy flow tcp host 10.10.10.2 host 10.10.10.10 eq 23

 

Interface inside:

 

  Service-policy: MGMT_PMAP

 

    Class-map: MGMT_CMAP

 

      Match: port tcp eq telnet

 

      Action:

 

        Input flow:  set connection conn-max 1

 

 

Note: 10.10.10.10 is the inside IP address of Cisco ASA.

1341
Views
0
Helpful
0
Comments