the embryonic connection maximum limits should be used on a protocol specific class not on the global inspection policy. Maybe it is a good security hole but not necessarily a bug. It is a configuration error.
You can have http inspected in your global policy and apply connection limits after your global policy and the connection limits will still take precedence over your inspection policy. This rule of thumb goes back to the MPF order of operations. You should not apply this in the manner you have below. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.h tml#wp1142414 I will be the first to say I did not understand the order of operation for a long time myself. It was always a topic that confused me. Instead do the following access-list TCP_EMB permit tcp any any ! class-map TCP_EMB match access-list TCP_EMB policy-map global_policy class-map TCP_EMB set conn embryonic ... Then retest. you should see what you are looking for. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: tsc...@ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Antonio Soares Sent: Thursday, May 19, 2011 12:57 PM To: 'CCIE Security Maillist' Subject: [OSL | CCIE_Security] nmap and ASA Issue I'm running nmap traversing the ASA. With this service-policy, nmap shows all ports open: ++++++++++++++++++++++++++++++++++++++ policy-map global_policy class class-default set connection embryonic-conn-max 15 per-client-embryonic-max 3 service-policy global_policy global ++++++++++++++++++++++++++++++++++++++ My setup: Nmap---Outside---ASA---Inside---R4 Without the "set connection" option, I get the expected behavior: ++++++++++++++++++++++++++++++++++++++ amsoares@server2:~$ nmap 4.4.4.4 Starting Nmap 5.00 ( http://nmap.org ) at 2011-05-19 19:47 CEST Interesting ports on 4.4.4.4: Not shown: 999 closed ports PORT STATE SERVICE 23/tcp open telnet Nmap done: 1 IP address (1 host up) scanned in 21.22 seconds amsoares@server2:~$ ++++++++++++++++++++++++++++++++++++++ Now with that "set connection" option, I get all ports open, no matter if the destination IP is up or down. Is this an ASA problem ? I understand that I'm killing the port scanning with the "set connection" option but I would expect to get all ports closed and not open. For some reason, the ASA sends back the SYN/ACK even if the destination IP is down. The ASA is running 8.2.1. Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com