Announcement

Collapse
No announcement yet.

Traffic Rate Limiting on Cisco ASA 5510?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Traffic Rate Limiting on Cisco ASA 5510?

    We have internet bandwidth 4/4 Mbps on outside interface. To inside interface are coming few internal network. How to limit internet bandwith usage for let's say 10.1.103.0/24 network to use 512/512 kbps. We tried as shown below in config but without luck. If we create subinterfaces for each vlan, we can apply policy on interfaces and that's working, but now we must do that on few internal networks coming to ASA on inside interface.

    Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst size? What is policing output and input? Why isn't this working?

    With any combination using policy on outside/inside interface and input/output (single or both) it doesn't work? Any suggestions?

    ASA Version 8.2(2)
    !
    hostname ASAfirewall
    enable password jbzGGb3hW4EV5FGM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.1.101.0 LAN description VlanPC
    name 10.1.100.0 Switches description Switches
    name 10.1.103.0 WirelessPrivate description WirelesusersPrivate
    dns-guard
    !
    interface Ethernet0/0
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/0.1
    vlan 51
    nameif outside
    security-level 0
    ip address 94.247.XXX.XXX 255.255.255.252
    !
    interface Ethernet0/1
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/1.1
    vlan 110
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.252
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    banner exec * WARNING *
    banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY!
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup management
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network Lan
    description VLAN PC
    object-group network NETWORK_OBJ_192.168.100.0_25
    object-group network PCtoNetGroup
    object-group network Net
    access-list 101 extended permit icmp any any echo
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any
    access-list clinical_splitTunnelAcl standard permit LAN 255.255.255.0
    access-list NetAccess extended permit ip host 10.1.101.5 any
    access-list NetAccess extended permit ip host 10.1.101.30 any
    access-list NetAccess extended permit ip WirelessPrivate 255.255.255.0 any
    access-list NetAccess extended deny ip any any
    access-list VPNclinical_splitTunnelAcl standard permit LAN 255.255.255.0
    access-list VPNclinical_splitTunnelAcl standard permit Switches 255.255.255.0
    access-list VPNclinical_splitTunnelAcl_1 standard permit LAN 255.255.255.0
    access-list VPNclinical_splitTunnelAcl_2 standard permit LAN 255.255.255.0
    access-list VPNclinical_splitTunnelAcl_5 standard permit LAN 255.255.255.0
    access-list VPNclinical_splitTunnelAcl_3 standard permit LAN 255.255.255.0
    access-list VPNclinical_splitTunnelAcl_4 standard permit LAN 255.255.255.0
    access-list inside_nat0_outbound extended permit ip LAN 255.255.255.0 192.168.100.0 255.255.255.128
    access-list inside_nat0_outbound extended permit ip Switches 255.255.255.0 192.168.100.0 255.255.255.128
    access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.252 192.168.100.0 255.255.255.128
    access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool VPNpool 192.168.100.1-192.168.100.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 LAN 255.255.255.0
    nat (inside) 1 WirelessPrivate 255.255.255.0
    access-group 101 in interface outside
    access-group NetAccess in interface inside
    route outside 0.0.0.0 0.0.0.0 94.247.XXX.XXX 1
    route inside Switches 255.255.255.0 10.1.1.2 1
    route inside LAN 255.255.255.0 10.1.1.2 1
    route inside WirelessPrivate 255.255.255.0 10.1.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http LAN 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 0.0.0.0 0.0.0.0 outside
    telnet LAN 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy DfltGrpPolicy attributes
    vpn-idle-timeout none
    group-policy VPNclinical internal
    group-policy VPNclinical attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPNclinical_splitTunnelAcl
    group-policy VPNclients internal
    group-policy VPNclients attributes
    vpn-tunnel-protocol webvpn
    webvpn
    url-list none
    username xxxx password DyDq4NEbqGjfIfWL encrypted privilege 15
    username yyyy password GQ6EDJEzerx065iq encrypted privilege 15
    username zzzz password KCW0Chtpty2A/5kt encrypted
    username wwww password APYksyyt89fKLVDC encrypted privilege 15
    tunnel-group VPNclinical type remote-access
    tunnel-group VPNclinical general-attributes
    address-pool VPNpool
    default-group-policy VPNclinical
    tunnel-group VPNclinical ipsec-attributes
    pre-shared-key *****
    tunnel-group VPNclients type remote-access
    tunnel-group VPNclients general-attributes
    default-group-policy VPNclients
    !
    class-map rate-limit
    match access-list rate-limit-wireless
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
    policy-map limit-policy
    class rate-limit
    police input 512000 96000
    police output 512000 96000
    !
    service-policy global_policy global
    service-policy limit-policy interface inside
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http ....
    destination address email .....
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:06dee49ed404601c3f296eeb8c691bb2
    : end
    asdm image disk0:/asdm-631.bin
    asdm location LAN 255.255.255.0 inside
    asdm location Switches 255.255.255.0 inside
    asdm location WirelessPrivate 255.255.255.0 inside
    no asdm history enable
Working...
X