topic ASA rate limit downloads from internet in Network Security

ASA rate limit downloads from internet

guy tec — Tue, 12 Mar 2019 02:59:48 GMT

Hi all,

I have a Cisco ASA 5512 that sits between my LAN and the internet (all traffic is natted/patted to the outside).

I have multiple subnets, each subnet has its own VLAN, and sub interface on the ASA.

Now I want to overcome that one of my subnets can fill the whole internet pipe (both download from the internet and upload to the internet)

If I understand it correctly I can do this with a service policy that does policing.

Now my question, on what interface do I need to apply the policy? and what kind of policing do I need, inbound and/or outbound?

Do I need 2 policys, one for the download limiting, one for the upload limiting?

ASA rate limit downloads from internet

Karsten Iwen — Mon, 04 Nov 2013 12:35:00 GMT

Yes, you can use policing for that. It can be done both in the inbound and outbound direction:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mpf_service_policy.html#wp1162717

Here is an example on how to activate it:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1221898

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA rate limit downloads from internet

guy tec — Mon, 04 Nov 2013 14:18:05 GMT

Thanks for your response, would the following work in my situation?

I don't have a problem configuring it, but I want to know that I am thinking about this correctly.

For example, I have 10Mbit upload and 20Mbit download from my ISP.

I have 2 internal subnets:

10.10.10.0/24 -> I want to limit upload to 5Mbit and download to 10Mbit

10.20.20.0/24 -> I want to limit upoad to 7Mbit and download to 15Mbit

I apply the following to my Outside interface (creating 4 policys):

1.1) police upload traffic subnet 1

ACL src = 10.10.10.0/24 | dest = any

Police outbound = 5Mbit

1.2) police download traffic subnet 1

ACL src = any | dest = 10.10.10.0/24

Police inbound = 10Mbit

2.1) police upload traffic subnet 2

ACL src = 10.20.20.0/24 | dest = any

Police outbound = 7Mbit

112) police download traffic subnet 2

ACL src = any | dest = 10.20.20.0/24

Police inbound = 15Mbit

Will this work?

Won't I run into issues with NAT/PAT concerning my ACL's

ASA rate limit downloads from internet

Karsten Iwen — Mon, 04 Nov 2013 15:07:54 GMT

Yes, that's a way it can be implemented. You could think about using a service-policy on the inside interface for outgoing traffic because it doesn't make any sense to first process the traffic in the ASA and later to drop it on the outside interface. But with your ASA you probably won't run into any performance problems.

NAT/PAT is handled transparently in your ASA-version. That was different in the versions < 8.3, but these are not available for your ASA.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni