Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS

Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS

Written By Harris Andrea

The Cisco ASA firewall offers excellent protection for Denial of Service attacks, such as SYN floods, TCP excessive connection attacks etc.

cisco asa devices

Using the new Policy Framework functionality, the ASA administrator can configure granular controls for TCP Connection limits and timeouts.

For example, we can control and limit the maximum number of simultaneous TCP and UDP connections that are allowed towards a specific host (or subnet), the maximum number of simultaneous embryonic connections allowed (for SYN flood attacks), the per-client max number of connections allowed etc.

Table of Contents

  • Configuration Example 1
  • Configuration Example 2
  • What are embryonic connections
  • What is the meaning of concurrent sessions in a firewall?
  • Related Posts

Configuration Example 1

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY
ASA(config-pmap)# class CONNS-MAP

! The following sets connection number limits
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. 

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535. 

MORE READING:  How to Configure SNMP on Cisco ASA 5500 Firewall

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535. 

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globally

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Configuration Example 2

There are several Global Connection Timeout values that you can modify if you want using the “timeout” command. Some important examples include:

timeout conn hh:mm:ss  (idle time after which a connection closes)

timeout half-closed hh:mm:ss (idle time until a TCP half-closed connection closes)

timeout udp hh:mm:ss (idle time until a UDP connection closes)

timeout xlate hh:mm:ss (idle time until a translation slot is freed)

timeout pat-xlate hh:mm:ss (idle time until a PAT translation slot is freed)

What are embryonic connections

Embryonic Connections are those that have not finished the full 3-way TCP handshake and are used mainly as SYN flooding attacks towards servers etc.

For example, an attacker can send thousands of SYN packets towards a server without completing the TCP handshake.

MORE READING:  Permitting Traffic to Enter and Exit the Same Interface on Cisco ASA

This means that the server consumes memory and resources waiting for the connection to complete and therefore it can suffer a Denial of Service or reduced performance.

The ASA Firewall can limit the duration of such embryonic connections in order to protect the server.

What is the meaning of concurrent sessions in a firewall?

This is a performance metric usually shown in Firewall specifications. The meaning of this number is the aggregate number of simultaneous connections passing through the firewall device at the same time.

A session is a TCP/UDP connection between hosts that passes through the firewall box. Usually next-gen firewalls have very high concurrent session limits.

However, when there is a DDoS attack passing through the firewall (e.g bots attacking a Web server protected by the firewall) this concurrent session limit can be reached and the firewall performance can be degraded severely. 

The connection timeout settings shown above can help to mitigate such attacks. By setting lower timeout values, you can free-up memory resources on the firewall when such an attack takes place.

Moreover, a DDoS protection device in front of the firewall can also help a lot in protecting the firewall and other servers from reaching their concurrent session limits.

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
  • Cisco ASA Firewall Packet Tracer for Network Troubleshooting

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Daniel Craig says

    May 27, 2009 at 3:59 am

    Hey, I was looking around for a while searching for syn flooding and I happened upon this site and your post regarding ring Connection Limits on Cisco ASA Firewalls – Protect from DoS | CiscoTips, I will definitely this to my syn flooding bookmarks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares