topic Re: ASA policing issue in Network Security

ASA policing issue

gautamzone — Mon, 11 Mar 2019 19:51:24 GMT

Dear friends,

There is a requirement for a wireless guest subnet to be policed to 600 kbps while sending traffic to Internet.

The wireless guest subnet is 172.20.50.0/24 and is connected to inside interface of ASA.

A point to note is that this subnet is nat'ed out to ASA public interface. So the ASCII diagram would be:

Inside Outside

PAT

192.168.50.0/24 -------------->ASA--------------->Internet

My config is:

access-list wl-guest extended permit ip host 192.168.50.0 255.255.255.0 any

class-map wireless

match access-list wl-guest

policy-map my-policy

class wireless

police input 600000

service-policy my-policy interface inside

A few points:

1. Since i am nating, i am applying the policy to inside interface. I am not applying the policy to outside interface because that would probably match to the nat'ed ip, not the real ip.

2. I am saying police input. But i am wondering if police output is right? Examples always show that Internet destined traffic is policed using police output on outside interface.

3. I am not trying to control bandwidth inbound because i guess it is not possible? Because by the time traffic reaches the outside interface of ASA, it has consumed the bandwidth of the link.

Can anyone have a look and tell me if the above config is right?

Thanks a lot

Gautam

Re: ASA policing issue

PAUL GILBERT ARIAS — Wed, 16 Feb 2011 13:58:10 GMT

your configuration looks perfect. It should work correctly.

I want to share to you my running QoS config for my GUEST users. It is a little different but works great.

access-list GUEST extended permit ip any 172.16.138.0 255.255.255.0

class-map GUEST

match access-list GUEST

policy-map global_policy

class GUEST

police output 512000

service-policy global_policy global

Re: ASA policing issue

gautamzone — Wed, 16 Feb 2011 14:08:37 GMT

Dear Paul,

Thanks a lot for your kind advise.

In your case, i believe you are not nating/pating 172.16.138.0 subnet?

And i think that you are trying to police traffic destined to the 172.16.138.0 subnet, not sourced from the 172.16.138.0 subnet?

Thanks a lot

Gautam

Re: ASA policing issue

PAUL GILBERT ARIAS — Wed, 16 Feb 2011 14:28:08 GMT

Hi,

I am doing NAT, in my case my configuration is not the best one because I am applying the police for the returning traffic. It is a waste of resorces but that is just the way I originally made and never fixed it.

Your configuration is the correct config.

Both configs will work.

Re: ASA policing issue

gautamzone — Wed, 16 Feb 2011 14:49:33 GMT

Dear Paul,

Thanks a lot for your quick clarification.

Just wanted to make sure that i understand this correctly. Please correct me if i am wrong:

1. Police input on inside interface means policing traffic when it enters the inside interface. This policed traffic can be either DMZ or outside destined traffic. Right?

2. Police output on inside interface means policing traffic as it exits inside interface and either goes out to DMZ or outside. Right?

One last question: Does outbound / inbound policing on global or outside interface happen on pre-nat addresses or post-nat addresses?

Thanks a lot

Gautam

Re: ASA policing issue

PAUL GILBERT ARIAS — Wed, 16 Feb 2011 15:00:05 GMT

the answer to the first to questions is yes. You are correct.

On my case I have the configuration applied globally and when you do a show service-policy it shows the following:

Class-map: GUEST

Output police Interface outside:

cir 512000 bps, bc 16000 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Output police Interface inside:

cir 512000 bps, bc 16000 bytes

conformed 126893 packets, 82726717 bytes; actions: transmit

exceeded 3722 packets, 4670407 bytes; actions: drop

conformed 456 bps, exceed 24 bps

Output police Interface internet:

cir 512000 bps, bc 16000 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

My police is applied outbound so it will apply that police to all interfaces going out. Since my ACL has the source ANY and destination the Guest subnet it is doing the police on the inside interface going out.

If you want it to do outbound police on the outside interface it will happen Post NAT that is what I wanted to apply it on the inside interface.

Re: ASA policing issue

gautamzone — Thu, 17 Feb 2011 05:51:25 GMT

Dear Paul,

Thanks a lot for the clarification.

Your answers were very clear and helpful.

Thanks a lot

Gautam

Re: ASA policing issue

PAUL GILBERT ARIAS — Thu, 17 Feb 2011 12:45:55 GMT

Glad to see your reply. I will appreciate if you mark this question as answered.

Sent from Cisco Technical Support iPhone App