«

»

Aug 20

Limiting connections rate for traffic destined on HTTP and HTTPS

Categories:

Cisco ASA/FWSM, Firewall

by admin

In our example we going to restrict number of connection coming from outside interface (Internet) on port 80 and 443 to local environment. Setting up limitation will protect internal WEB servers against receiving too many connections such as DDOS attacks and SYN attacks.


We limit maximum number of established connections to 1000. Embryonic (half-open) connection to 200 but only 10 half-open and 20 established connections per client (single IP).


NOTE: When clients are using proxy servers which replace source IP with its own then per client limitation should be removed or at least value increased to avoid dropping legitimate traffic.

Configuration example:

ASA1# conf t
ASA1(config)# access-list http_conn_limit extended permit tcp any any eq 80
ASA1(config)# access-list http_conn_limit extended permit tcp any any eq 443

ASA1(config)# class-map http_conn_limit_class
ASA1(config-cmap)# match access-list http_conn_limit
ASA1(config-cmap)# exit

ASA1(config)# policy-map http_conn_limit_map
ASA1(config-pmap)# class http_conn_limit_class
ASA1(config-pmap-c)# set connection conn-max 1000
ASA1(config-pmap-c)# set connection embryonic-conn-max 200
ASA1(config-pmap-c)# set connection per-client-embryonic-max 10
ASA1(config-pmap-c)# set connection per-client-max 20
ASA1(config-pmap-c)# exit
ASA1(config-pmap)# exit

ASA1(config)# service-policy http_conn_limit_map interface outside

ASA1(config)# end
ASA1# wr mem

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>