Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2607
Views
2
Helpful
7
Replies

ASA rate limiting

Jon Marshall
Hall of Fame
Hall of Fame

‎10-16-2023 04:39 AM

I have an ASA (5520) with an outside, DMZ, and inside interface and I want to rate limit the traffic (5Mbps) coming from the outside going to a specific server on the DMZ (192.168.3.3). 

Never set this up before and it is a live production firewall so would like a sanity check please. 

I have this configuration - 

asa(config)# access-list WEB_SERVER permit ip any host 192.168.3.3
asa(config)# class-map Web-Policy
asa(config-cmap)# match access-list WEB-SERVER

asa(config)# policy-map WEB
asa(config-pmap)# class Web-Policy
asa(config-pmap-c)# police 5000000 conform-action transmit exceed-action drop

asa(config)# service-policy Web-Policy interface in DMZ 

1) will this work ? 

2) is the interface I have applied the service policy to the correct one or should it be the outside interface ? 

Thanks 

Jon

 

0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-16-2023 04:48 AM

I did, that was the document I used  

Wasn't clear to me which interface to apply it to though, I am assuming rate limiting is done outbound by the looks of it. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Jon Marshall

‎10-16-2023 04:56 AM

""Finally attach the shaping policy to the interface on which to shape and prioritize outbound traffic""

As cisco doc. It apply to interface outbound traffic. So it must be outside (nameif).

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-16-2023 04:59 AM - edited ‎10-16-2023 05:00 AM

Looks like OP mentioned DMZ (i think he want to do in DMZ i guess)

asa(config)# service-policy Web-Policy interface in DMZ  ( syntax may be wrong, but that is what his intention i guess)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎10-16-2023 09:06 AM

I want to limit traffic going to a server in the DMZ so I assumed it would either be applied inbound on the outside interface or outbound on the DMZ interface but definitely not inbound on the DMZ interface as far as I can tell. 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-16-2023 09:09 AM

So outbound would be the DMZ interface in my case as I am not trying to limit traffic to the internet (which most of the examples seem to be about) but limit coming from the internet to a server in the DMZ.

Jon

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-16-2023 04:46 AM

yes that should work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card