No announcement yet.

Traffic Rate Limiting on Cisco ASA 5510?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Traffic Rate Limiting on Cisco ASA 5510?

    We have internet bandwidth 4/4 Mbps on outside interface. To inside interface are coming few internal network. How to limit internet bandwith usage for let's say network to use 512/512 kbps. We tried as shown below in config but without luck. If we create subinterfaces for each vlan, we can apply policy on interfaces and that's working, but now we must do that on few internal networks coming to ASA on inside interface.

    Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst size? What is policing output and input? Why isn't this working?

    With any combination using policy on outside/inside interface and input/output (single or both) it doesn't work? Any suggestions?

    ASA Version 8.2(2)
    hostname ASAfirewall
    enable password jbzGGb3hW4EV5FGM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    name LAN description VlanPC
    name Switches description Switches
    name WirelessPrivate description WirelesusersPrivate
    interface Ethernet0/0
    no nameif
    no security-level
    no ip address
    interface Ethernet0/0.1
    vlan 51
    nameif outside
    security-level 0
    ip address 94.247.XXX.XXX
    interface Ethernet0/1
    no nameif
    no security-level
    no ip address
    interface Ethernet0/1.1
    vlan 110
    nameif inside
    security-level 100
    ip address
    interface Ethernet0/2
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address
    banner exec * WARNING *
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup management
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network Lan
    description VLAN PC
    object-group network NETWORK_OBJ_192.168.100.0_25
    object-group network PCtoNetGroup
    object-group network Net
    access-list 101 extended permit icmp any any echo
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any
    access-list clinical_splitTunnelAcl standard permit LAN
    access-list NetAccess extended permit ip host any
    access-list NetAccess extended permit ip host any
    access-list NetAccess extended permit ip WirelessPrivate any
    access-list NetAccess extended deny ip any any
    access-list VPNclinical_splitTunnelAcl standard permit LAN
    access-list VPNclinical_splitTunnelAcl standard permit Switches
    access-list VPNclinical_splitTunnelAcl_1 standard permit LAN
    access-list VPNclinical_splitTunnelAcl_2 standard permit LAN
    access-list VPNclinical_splitTunnelAcl_5 standard permit LAN
    access-list VPNclinical_splitTunnelAcl_3 standard permit LAN
    access-list VPNclinical_splitTunnelAcl_4 standard permit LAN
    access-list inside_nat0_outbound extended permit ip LAN
    access-list inside_nat0_outbound extended permit ip Switches
    access-list inside_nat0_outbound extended permit ip
    access-list rate-limit-wireless extended permit ip WirelessPrivate interface outside
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool VPNpool mask
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 LAN
    nat (inside) 1 WirelessPrivate
    access-group 101 in interface outside
    access-group NetAccess in interface inside
    route outside 94.247.XXX.XXX 1
    route inside Switches 1
    route inside LAN 1
    route inside WirelessPrivate 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http outside
    http LAN inside
    http management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet outside
    telnet LAN inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    enable outside
    group-policy DfltGrpPolicy attributes
    vpn-idle-timeout none
    group-policy VPNclinical internal
    group-policy VPNclinical attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPNclinical_splitTunnelAcl
    group-policy VPNclients internal
    group-policy VPNclients attributes
    vpn-tunnel-protocol webvpn
    url-list none
    username xxxx password DyDq4NEbqGjfIfWL encrypted privilege 15
    username yyyy password GQ6EDJEzerx065iq encrypted privilege 15
    username zzzz password KCW0Chtpty2A/5kt encrypted
    username wwww password APYksyyt89fKLVDC encrypted privilege 15
    tunnel-group VPNclinical type remote-access
    tunnel-group VPNclinical general-attributes
    address-pool VPNpool
    default-group-policy VPNclinical
    tunnel-group VPNclinical ipsec-attributes
    pre-shared-key *****
    tunnel-group VPNclients type remote-access
    tunnel-group VPNclients general-attributes
    default-group-policy VPNclients
    class-map rate-limit
    match access-list rate-limit-wireless
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
    policy-map limit-policy
    class rate-limit
    police input 512000 96000
    police output 512000 96000
    service-policy global_policy global
    service-policy limit-policy interface inside
    prompt hostname context
    profile CiscoTAC-1
    no active
    destination address http ....
    destination address email .....
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    : end
    asdm image disk0:/asdm-631.bin
    asdm location LAN inside
    asdm location Switches inside
    asdm location WirelessPrivate inside
    no asdm history enable