EasyManuals Logo

Cisco ASA 5506-X Configuration Guide

Cisco ASA 5506-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #385 background imageLoading...
Page #385 background image
16-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Connection Settings
Configure Connection Settings
Note Ensure that you set the embryonic connection limit lower than the TCP SYN backlog queue on the server
that you want to protect. Otherwise, valid clients can no longer access the server during a SYN attack.
To determine reasonable values for embryonic limits, carefully analyze the capacity of the server, the
network, and server usage.
The end-to-end process for protecting a server from a SYN flood attack involves setting connection
limits, enabling TCP Intercept statistics, and then monitoring the results.
Before You Begin
Ensure that you set the embryonic connection limit lower than the TCP SYN backlog queue on the
server that you want to protect. Otherwise, valid clients can no longer access the server during a
SYN attack. To determine reasonable values for embryonic limits, carefully analyze the capacity of
the server, the network, and server usage.
Depending on the number of CPU cores on your ASA model, the maximum concurrent and
embryonic connections can exceed the configured numbers due to the way each core manages
connections. In the worst case scenario, the ASA allows up to n-1 extra connections and embryonic
connections, where n is the number of cores. For example, if your model has 4 cores, if you
configure 6 concurrent connections and 4 embryonic connections, you could have an additional 3 of
each type. To determine the number of cores for your model, enter the show cpu core command.
Procedure
Step 1 Create an L3/L4 class map to identify the servers you are protecting. Use an access-list match.
class-map name
match parameter
Example:
hostname(config)# access-list servers extended permit tcp any host 10.1.1.5 eq http
hostname(config)# access-list servers extended permit tcp any host 10.1.1.6 eq http
hostname(config)# class-map protected-servers
hostname(config-cmap)# match access-list servers
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class
map.
policy-map name
class name
Example:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class protected-servers
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. For the class map, specify the
class you created earlier in this procedure.
Step 3 Set the embryonic connection limits.
set connection embryonic-conn-max n—The maximum number of simultaneous embryonic
connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections.

Table of Contents

Other manuals for Cisco ASA 5506-X

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA 5506-X and is the answer not in the manual?

Cisco ASA 5506-X Specifications

General IconGeneral
ModelASA 5506-X
Firewall Throughput750 Mbps
Maximum Firewall Connections50, 000
Maximum VPN Peers50
Integrated Ports8 x 1 GE
Stateful Inspection Throughput750 Mbps
Weight4.4 lb (2 kg)
Firewall Throughput (Multiprotocol)750 Mbps
Firewall Throughput (Application Visibility and Control AVC)250 Mbps
Concurrent Sessions50, 000
New Connections per Second10, 000
IPsec VPN Throughput100 Mbps
Interfaces8 x 1 GE
Memory4 GB
Flash Memory8 GB
Form FactorDesktop
VPN Throughput100 Mbps
Maximum Concurrent Sessions50, 000
New Sessions per Second10, 000
Operating Temperature32 to 104°F (0 to 40°C)
Storage Temperature-13 to 158°F (-25 to 70°C)
Power SupplyExternal
Humidity10% to 90% non-condensing

Related product manuals