We help IT Professionals succeed at work.

ASA 5510, Policy Maps, Class Maps, and Access-Lists!

eskirvin asked
Medium Priority
Last Modified: 2012-05-06
I'd like to fine tune my company's ASA5510 a bit, but I am not very familiar with policy maps, class maps, or ACLs. I've attached my configuration below. The IP addresses have been massaged a bit, but I should be able to follow any instructions after decrypting the comments. I'd like to accomplish the following things:

1) I've limited the numbers of connections per client to 24 to combat torrents, but I only want that limit to occur on half of my subnet, - .255, and not on the rest of it from - .255, with a network of The idea is that I'll assign problem users the earlier IP addresses, with non-offenders in the upper ranges. If I can see the concept, I'll manipulate it to suit my actual circumstances.

2) If I have a user, or users, that needs a particular port, 8181 for example, how do I forward that through the firewall if port 8181 is needed for communication with a patch server?

3) Please look over the config and offer any suggestions for improvements. We do have problems with email attachments at times, of which I have heard rumors that some type of ICMP might be at fault.
hostname xxxx-xxxx
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
interface Ethernet0/0
 description Outside Interface to Public Network, Gateway =
 nameif Public
 security-level 0
 ip address
interface Ethernet0/1
 description Inside Interface to Private Network
 nameif Private
 security-level 50
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
clock timezone AST 3
dns domain-lookup Public
dns domain-lookup Private
dns server-group DefaultDNS
 name-server xxx.xxx.xxx.xxx
 name-server xxx.xxx.xxx.xxx
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list www_traffic extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu Public 1500
mtu Private 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (Public) 1 interface
nat (Private) 1
access-group 100 in interface Public
route Public 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (Private) vendor websense host timeout 30 protocol TCP v
ersion 4 connections 30
filter url http allow
filter https 443 allow
filter ftp 21 allow
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd ping_timeout 750
dhcpd address Private
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface Private
dhcpd enable Private
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map CONNS
 match any
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class CONNS
  set connection per-client-max 24
  set connection timeout tcp 0:15:00 dcd
service-policy global_policy global

Open in new window

Watch Question

Top Expert 2007
Hesllo eskirvin,
   class-map CONNS
        match any

     With above statement, you make the traffic mathching on which you are going to take action under policy-map. Your action under policy-map for CONNS class is to limit per-client-max connection to 24. But your traffic matches "any" traffic!
    So you have to define an ACL that traffic matching occurs on, like following

access-list limit_conn permit ip any

class-map CONNS
       no match any
       match access-list limit_conn

Please explain issue #2 (forwarding) in detail



Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Detail for number 2 is as follows:

One of our senior level managers plays WoW, but since putting the firewall in place, he doesn't download patches as fast anymore. When I find out which port, or ports, is needed, I want to be able to forward it through the firewall for better performance. He is playing this on our morale network during his offtime which is fine. We are located in Kuwait in the middle of the desert, so morale activities are pretty important.


For your explanation of number 1, first, thank you very much :-) Second, is there a way to exclude single ip addresses from the match or should it be done for a range as per your explanation?
Top Expert 2007
static (inside,outside) tcp interface 8181 yourmanagersiphere 8181
access-list 100 permit tcp any interface outside eq 8181

Above is for your manager. And below for exclusion

access-list limit_conn deny ip host excludedhostiphere
access-list limit_conn permit ip any

     The deny statement for exclusion most take place before the permit statement


Very nice! After making my post, I thought about it and did just as you said with the deny statement. For the port forwarding, what does that mean for security? If you look at the config, is there anything else you would suggest? Thank you very much for your help thus far, it is very much appreciated.
Top Expert 2007
"For the port forwarding, what does that mean for security? "
       Now a service, or an application on your manager's computer is open to internet. That means hacker or a bot configured by hacker in internet can scan your firewall's ports, can see that 8181 is bound to an application or service that is currently listening. It is open to penetration. And if this application, say Wow Update manager, contains a vulnerabilty, hacker exploits it, and gains access to your manager's computer. That risk will exist only when that specific service or application on manager's computer is running and in listening state for port 8181. Chances are pretty low, but just in case, keep that application up-to-date, apply its patches.
      Config looks fine, but there are some extra lines as

access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable

       ASA is a statefull device that can inspect the traffic and know the originator/initiator of the traffic, and automatically allow the return traffic of it. Do the following modification

no access-list 100 extended permit icmp any any echo-reply
no access-list 100 extended permit icmp any any time-exceeded
no access-list 100 extended permit icmp any any unreachable

policy-map global_policy
    class inspection_default
         inspect icmp



Thank you very much for your help. I appreciate you taking the time to explain your answers and provide such thorough solutions.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.