Apollo77
Technical User
- Sep 9, 2010
- 18
We have internet bandwidth 4/4 Mbps on outside interface. To inside interface are coming few internal network. How to limit internet bandwith usage for let's say 10.1.103.0/24 network to use 512/512 kbps. We tried as shown below in config but without luck. If we create subinterfaces for each vlan, we can apply policy on interfaces and that's working, but now we must do that on few internal networks coming to ASA on inside interface.
Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst size? What is policing output and input? Why isn't this working?
With any combination using policy on outside/inside interface and input/output (single or both) it doesn't work? Any suggestions?
ASA Version 8.2(2)
!
hostname ASAfirewall
enable password jbzGGb3hW4EV5FGM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.101.0 LAN description VlanPC
name 10.1.100.0 Switches description Switches
name 10.1.103.0 WirelessPrivate description WirelesusersPrivate
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 51
nameif outside
security-level 0
ip address 94.247.XXX.XXX 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 110
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec * WARNING *
banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Lan
description VLAN PC
object-group network NETWORK_OBJ_192.168.100.0_25
object-group network PCtoNetGroup
object-group network Net
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any
access-list clinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list NetAccess extended permit ip host 10.1.101.5 any
access-list NetAccess extended permit ip host 10.1.101.30 any
access-list NetAccess extended permit ip WirelessPrivate 255.255.255.0 any
access-list NetAccess extended deny ip any any
access-list VPNclinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl standard permit Switches 255.255.255.0
access-list VPNclinical_splitTunnelAcl_1 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_2 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_5 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_3 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_4 standard permit LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Switches 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.252 192.168.100.0 255.255.255.128
access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 192.168.100.1-192.168.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LAN 255.255.255.0
nat (inside) 1 WirelessPrivate 255.255.255.0
access-group 101 in interface outside
access-group NetAccess in interface inside
route outside 0.0.0.0 0.0.0.0 94.247.XXX.XXX 1
route inside Switches 255.255.255.0 10.1.1.2 1
route inside LAN 255.255.255.0 10.1.1.2 1
route inside WirelessPrivate 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy VPNclinical internal
group-policy VPNclinical attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNclinical_splitTunnelAcl
group-policy VPNclients internal
group-policy VPNclients attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username xxxx password DyDq4NEbqGjfIfWL encrypted privilege 15
username yyyy password GQ6EDJEzerx065iq encrypted privilege 15
username zzzz password KCW0Chtpty2A/5kt encrypted
username w APYksyyt89fKLVDC encrypted privilege 15
tunnel-group VPNclinical type remote-access
tunnel-group VPNclinical general-attributes
address-pool VPNpool
default-group-policy VPNclinical
tunnel-group VPNclinical ipsec-attributes
pre-shared-key *****
tunnel-group VPNclients type remote-access
tunnel-group VPNclients general-attributes
default-group-policy VPNclients
!
class-map rate-limit
match access-list rate-limit-wireless
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
policy-map limit-policy
class rate-limit
police input 512000 96000
police output 512000 96000
!
service-policy global_policy global
service-policy limit-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http ....
destination address email .....
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06dee49ed404601c3f296eeb8c691bb2
: end
asdm image disk0:/asdm-631.bin
asdm location LAN 255.255.255.0 inside
asdm location Switches 255.255.255.0 inside
asdm location WirelessPrivate 255.255.255.0 inside
no asdm history enable
Are we apply traffic shaping (limit the flow of traffic) or traffic policing (traffic that exceeds the speed limit on the interface is dropped) and what about burst size? What is policing output and input? Why isn't this working?
With any combination using policy on outside/inside interface and input/output (single or both) it doesn't work? Any suggestions?
ASA Version 8.2(2)
!
hostname ASAfirewall
enable password jbzGGb3hW4EV5FGM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.101.0 LAN description VlanPC
name 10.1.100.0 Switches description Switches
name 10.1.103.0 WirelessPrivate description WirelesusersPrivate
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 51
nameif outside
security-level 0
ip address 94.247.XXX.XXX 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 110
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec * WARNING *
banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Lan
description VLAN PC
object-group network NETWORK_OBJ_192.168.100.0_25
object-group network PCtoNetGroup
object-group network Net
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any
access-list clinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list NetAccess extended permit ip host 10.1.101.5 any
access-list NetAccess extended permit ip host 10.1.101.30 any
access-list NetAccess extended permit ip WirelessPrivate 255.255.255.0 any
access-list NetAccess extended deny ip any any
access-list VPNclinical_splitTunnelAcl standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl standard permit Switches 255.255.255.0
access-list VPNclinical_splitTunnelAcl_1 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_2 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_5 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_3 standard permit LAN 255.255.255.0
access-list VPNclinical_splitTunnelAcl_4 standard permit LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip Switches 255.255.255.0 192.168.100.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.252 192.168.100.0 255.255.255.128
access-list rate-limit-wireless extended permit ip WirelessPrivate 255.255.255.0 interface outside
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 192.168.100.1-192.168.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LAN 255.255.255.0
nat (inside) 1 WirelessPrivate 255.255.255.0
access-group 101 in interface outside
access-group NetAccess in interface inside
route outside 0.0.0.0 0.0.0.0 94.247.XXX.XXX 1
route inside Switches 255.255.255.0 10.1.1.2 1
route inside LAN 255.255.255.0 10.1.1.2 1
route inside WirelessPrivate 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy VPNclinical internal
group-policy VPNclinical attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNclinical_splitTunnelAcl
group-policy VPNclients internal
group-policy VPNclients attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username xxxx password DyDq4NEbqGjfIfWL encrypted privilege 15
username yyyy password GQ6EDJEzerx065iq encrypted privilege 15
username zzzz password KCW0Chtpty2A/5kt encrypted
username w APYksyyt89fKLVDC encrypted privilege 15
tunnel-group VPNclinical type remote-access
tunnel-group VPNclinical general-attributes
address-pool VPNpool
default-group-policy VPNclinical
tunnel-group VPNclinical ipsec-attributes
pre-shared-key *****
tunnel-group VPNclients type remote-access
tunnel-group VPNclients general-attributes
default-group-policy VPNclients
!
class-map rate-limit
match access-list rate-limit-wireless
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
policy-map limit-policy
class rate-limit
police input 512000 96000
police output 512000 96000
!
service-policy global_policy global
service-policy limit-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http ....
destination address email .....
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06dee49ed404601c3f296eeb8c691bb2
: end
asdm image disk0:/asdm-631.bin
asdm location LAN 255.255.255.0 inside
asdm location Switches 255.255.255.0 inside
asdm location WirelessPrivate 255.255.255.0 inside
no asdm history enable