AXISHK
asked on
Class Maps and Policy Maps on ASA
How the access-list and Policy map should be put on ASA such that limit the users from spawning hundreds of connectoins from their P2P clients ?
Thanks
Thanks
ASKER
Thanks,
Is there a way to restrict the only UDP connection per user as the per-client-max only set the no. of connection for TCP + UDP, correct ?
How does ASA know a unique client ? Do they identify each client by IP address ?
THnaks
Is there a way to restrict the only UDP connection per user as the per-client-max only set the no. of connection for TCP + UDP, correct ?
How does ASA know a unique client ? Do they identify each client by IP address ?
THnaks
It is identified by IP.
[Conn-max n] would set total UDP connections, where [per-client-max] sets total connections per client TCP and UDP....
I suppose the best way would be to define an ACL that only matches UDP traffic....
Following the example:
ASA(config)# access list CONNS-ACL extended permit udp any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL
Then create the per-client-max for total conenctions which should only limit UDP since it was all that was matched in the ACL...
Sounds like it should work in theory....
[Conn-max n] would set total UDP connections, where [per-client-max] sets total connections per client TCP and UDP....
I suppose the best way would be to define an ACL that only matches UDP traffic....
Following the example:
ASA(config)# access list CONNS-ACL extended permit udp any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL
Then create the per-client-max for total conenctions which should only limit UDP since it was all that was matched in the ACL...
Sounds like it should work in theory....
ASKER
Thanks, it seems work.
One more question, Suppose that current max connection has reached 50 and there is a new UDP conenction, will ASA drop it, or replace the longest one in the conn table with it ?
So when will the UDP connectoin time-out ? Is there a way to control that ?
Thanks
One more question, Suppose that current max connection has reached 50 and there is a new UDP conenction, will ASA drop it, or replace the longest one in the conn table with it ?
So when will the UDP connectoin time-out ? Is there a way to control that ?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco-tips.com/configuring-connection-limits-on-cisco-asa-firewalls-protect-from-dos/