Skip to main content

Cisco Notes

Static NAT

192.168.1.100 = (Private IP) /// 192.166.1.101 = (Public)

access-list inbound permit tcp any host 192.168.1.100
access-group inbound in interface outside 
object network obj-192.168.1.100 
host 192.168.1.100 
nat (inside,outside) static 192.166.1.101

Object Groups ASA

object-group service http-protocols tcp
port-object eq 80
port-object eq 443
object-group network webservers
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols
access-group OUTSIDE-IN in interface outside

packet-tracer

packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8
packet-tracer input outside tcp 8.8.8.8 53 192.168.1.100 80

Mitigating DoSspam attackstraffic on a Cisco ASA

DEFINE TRAFFIC

First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting all other traffic.

cisco-asa(config)# access-list mpf-policy-acl extended permit ip any any
CREATE CLASS-MAP

Next we assign the previously created access-list to a class-map.

cisco-asa(config)# class-map mpf-policy
cisco-asa(config-cmap)# match access-list mpf-policy-acl
cisco-asa(config-cmap)# exit
CREATE POLICY-MAP

Then a policy-map is created and the necessary connection limits defined.

cisco-asa(config)# policy-map mpf-policy-map
cisco-asa(config-pmap)# class mpf-policy
cisco-asa(config-pmap-c)# set connection conn-max 9500
cisco-asa(config-pmap-c)# set connection embryonic-conn-max 5000
cisco-asa(config-pmap-c)# set connection per-client-embryonic-max 100
cisco-asa(config-pmap-c)# set connection per-client-max 300
cisco-asa(config-pmap-c)# exit
cisco-asa(config-pmap)# exit