https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941042#M1105095 <P>I have an ASA (5520) with an outside, DMZ, and inside interface and I want to rate limit the traffic (5Mbps) coming from the outside going to a specific server on the DMZ (192.168.3.3).&nbsp;</P> <P>Never set this up before and it is a live production firewall so would like a sanity check please.&nbsp;</P> <P>I have this configuration -&nbsp;</P> <P>asa(config)# access-list WEB_SERVER permit ip any host 192.168.3.3<BR />asa(config)# class-map Web-Policy <BR />asa(config-cmap)# match access-list WEB-SERVER</P> <P>asa(config)# policy-map WEB <BR />asa(config-pmap)# class Web-Policy <BR />asa(config-pmap-c)# police 5000000 conform-action transmit exceed-action drop</P> <P>asa(config)# service-policy Web-Policy interface in DMZ&nbsp;</P> <P>1) will this work ?&nbsp;</P> <P>2) is the interface I have applied the service policy to the correct one or should it be the outside interface ?&nbsp;</P> <P>Thanks&nbsp;</P> <P>Jon</P> <P>&nbsp;</P> Mon, 16 Oct 2023 11:39:49 GMT Jon Marshall 2023-10-16T11:39:49Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941042#M1105095 <P>I have an ASA (5520) with an outside, DMZ, and inside interface and I want to rate limit the traffic (5Mbps) coming from the outside going to a specific server on the DMZ (192.168.3.3).&nbsp;</P> <P>Never set this up before and it is a live production firewall so would like a sanity check please.&nbsp;</P> <P>I have this configuration -&nbsp;</P> <P>asa(config)# access-list WEB_SERVER permit ip any host 192.168.3.3<BR />asa(config)# class-map Web-Policy <BR />asa(config-cmap)# match access-list WEB-SERVER</P> <P>asa(config)# policy-map WEB <BR />asa(config-pmap)# class Web-Policy <BR />asa(config-pmap-c)# police 5000000 conform-action transmit exceed-action drop</P> <P>asa(config)# service-policy Web-Policy interface in DMZ&nbsp;</P> <P>1) will this work ?&nbsp;</P> <P>2) is the interface I have applied the service policy to the correct one or should it be the outside interface ?&nbsp;</P> <P>Thanks&nbsp;</P> <P>Jon</P> <P>&nbsp;</P> Mon, 16 Oct 2023 11:39:49 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941042#M1105095 Jon Marshall 2023-10-16T11:39:49Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941044#M1105096 <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html</A></P> <P>Check thisb</P> Mon, 16 Oct 2023 11:43:49 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941044#M1105096 MHM Cisco World 2023-10-16T11:43:49Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941047#M1105097 <P>yes that should work as expected.</P> Mon, 16 Oct 2023 11:46:28 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941047#M1105097 balaji.bandi 2023-10-16T11:46:28Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941050#M1105098 <P>I did, that was the document I used <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> <P>Wasn't clear to me which interface to apply it to though, I am assuming rate limiting is done outbound by the looks of it.&nbsp;</P> Mon, 16 Oct 2023 11:48:44 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941050#M1105098 Jon Marshall 2023-10-16T11:48:44Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941053#M1105099 <P>""<SPAN>Finally attach the shaping policy to the interface on which to shape and prioritize <STRONG>outbound</STRONG> traffic""</SPAN></P> <P><SPAN>As cisco doc. It apply to interface outbound traffic. So it must be outside (nameif).</SPAN></P> Mon, 16 Oct 2023 11:56:07 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941053#M1105099 MHM Cisco World 2023-10-16T11:56:07Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941056#M1105100 <P>Looks like OP mentioned DMZ (i think he want to do in DMZ i guess)</P> <P>asa(config)# service-policy Web-Policy interface in<STRONG> DMZ&nbsp; ( syntax may be wrong, but that is what his intention i guess)<BR /></STRONG></P> Mon, 16 Oct 2023 12:00:27 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941056#M1105100 balaji.bandi 2023-10-16T12:00:27Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941214#M1105103 <P>I want to limit traffic going to a server in the DMZ so I assumed it would either be applied inbound on the outside interface or outbound on the DMZ interface but definitely not inbound on the DMZ interface as far as I can tell.&nbsp;</P> Mon, 16 Oct 2023 16:06:54 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941214#M1105103 Jon Marshall 2023-10-16T16:06:54Z https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941216#M1105104 <P>So outbound would be the DMZ interface in my case as I am not trying to limit traffic to the internet (which most of the examples seem to be about) but limit coming from the internet to a server in the DMZ.</P> <P>Jon</P> Mon, 16 Oct 2023 16:09:09 GMT https://community.cisco.com/t5/network-security/asa-rate-limiting/m-p/4941216#M1105104 Jon Marshall 2023-10-16T16:09:09Z