Cisco ASA: Configuring Connection Limits


The Cisco ASA Firewall is capable of protecting your network from Denial of Service attacks (DoS), SYN floods, and TCP excessive connection attacks. In this example we will learn how to configure connection limits towards a specific host on your LAN.


configure terminal
access-list example-acl extended permit ip any 192.168.1.1 255.255.255.255
class-map example-map
match access-list example-acl
policy-map example-policy
class example-map
set connection conn-max 10
service-policy example-policy global


The set connection has a few options.


set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}


conn-max sets the maximum number of simultaneous TCP and/or UDP connections allowed.
embryonic-conn-max sets the maximum number of simultaneous embryonic connections allowed per client.
per-client-embryonic-max sets the maximum number of simultaneous embryonic connections allowed per client.
per-client-max sets the maximum nuber of simultaneous connections allowed per client.

<
>