09-27-2010 04:01 PM - edited 03-11-2019 11:46 AM
Hello all,
I have a customer with a 5510 that recently sub-leased their office. I would like to give the sub-tenant their own "portion" of our bonded T1's, yet keep ALL network traffic separate. I understand the the WAN traffic will comingle and this is ok.
We currently have inbound rules setup for the main tenant that allow certain external IPs to translate to internal servers, e.g. Citrix, Exchange, etc. We also have some "deny's" setup for IPs at myspace, facebook, etc.
The sub-tenant will only need one single NAT'd external IP, which we have available.
We need to also LIMIT the bandwidth for the sub-tenant at 3 MBPS.
Ethernet 0/2 and 0/3 are available.
The firewall rules for the subtenant will be simple and will allow all traffic that originates inside to go out then come back in, but will deny all traffic originating from outside trying to get in.
Can this be done on the ASA? Can it be done "relatively" easily?
Please advise and post any samples or Cisco "walk throughs" for this. Please advise on potential pitfalls as well.
Thank you.
John
09-27-2010 05:13 PM
hi
this will be relatively simple, all you need is nat rules to send out the traffic and some QOS to limit the bandwidth utilization to 3 mbps,
this limiting can be done either on asa or on the upstream but i guess we can do it on asa and finish it off
i do not have any specific doc to give you an eg, but if you provide me the current config and the new networks that you intened to add i can help you out with this (you can mask public ip's if you wish to)
10-01-2010 02:52 PM
Jathaval,
Thank you, much appreciated. Sorry it took so long for my reply.
We need to allow a maximum of 3 mbps up and down for the NEW lan at 192.168.0.0 using ethernet 0/2, and push all that traffic through a dedicated external IP address called x.x.x.70. i.e. all 192.168.0.0 users will send/receive Internet traffic on x.x.x.70 WAN IP.
Thank you, John
PS Pleasead vise if there is anything else glarring that should be changed...thanks.
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xxxxxxxxxxxx.com
enable password xxxxxxxxxxx encrypted
passwd xxx encrypted
names
name xxx X-Serve01 description X-Serve01
name xxxxxxxxxxxxxx X-Serve01-Outside description X-Serve01-Outside
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xxxxxx.68 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address "NOT 192.168.0.0" 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address xxxx 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server xxxx
name-server 64.60.0.17
name-server 64.60.0.18
domain-name xxxxxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 993
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 2552
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 x.x.x.x 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 .... 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 .... 255.255.255.0
access-list outside extended permit tcp any host x.x.x.x eq citrix-ica
access-list outside extended permit tcp any host x.x.x.x eq 3389
access-list outside extended permit tcp any host x.x.x.x eq 1604
access-list outside extended permit tcp any host x.x.x.x eq www inactive
access-list outside extended permit tcp any host x.x.x.x eq https
access-list outside extended permit icmp any any
access-list outside remark Open to Exchange, smtp-ssl on 465
access-list outside extended permit tcp any host x.x.x.x object-group DM_INLINE_TCP_1 log
access-list outside extended permit tcp any eq 2598 host x.x.x.x eq 2598
access-list outside extended permit tcp any host X-Serve01-Outside eq ssh
access-list outside remark VNC access from Second Son to XServe
access-list outside extended permit tcp x.x.x.x 255.255.255.252 host X-Serve01-Outside eq 5900
access-list Outside_cryptomap_dyn_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Split_Tunnel_List remark MD Lan behind the ASA
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list myspaceblock remark myspace.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 216.178.32.0 255.255.240.0
access-list myspaceblock remark facebook.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 69.63.176.0 255.255.240.0
access-list myspaceblock extended deny ip 192.168.26.0 255.255.255.0 216.178.32.0 255.255.240.0 inactive
access-list myspaceblock remark myspace.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 63.135.80.0 255.255.240.0
access-list myspaceblock extended deny ip 192.168.6.0 255.255.255.0 63.135.80.0 255.255.240.0 inactive
access-list myspaceblock extended deny ip 192.168.26.0 255.255.255.0 63.135.80.0 255.255.240.0 inactive
access-list myspaceblock extended permit ip any any
pager lines 24
logging enable
logging console emergencies
logging monitor emergencies
logging buffered errors
logging asdm errors
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool mydpool 172.16.1.1-172.16.1.126 mask 255.255.255.128
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.x 192.168.1.19 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 192.168.1.10 netmask 255.255.255.255
static (Inside,Inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (Inside,Outside) X-Serve01-Outside X-Serve01 netmask 255.255.255.255
access-group outside in interface Outside
access-group myspaceblock in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.4.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.6.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.26.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
http 176.16.1.0 255.255.255.0 Inside
http x.x.x.x 255.255.255.248 Outside
snmp-server host Inside 192.168.1.210 community public version 2c
snmp-server location SC
snmp-server contact LIT
snmp-server community xxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
client-update type WinNT url http://www.google.com rev-nums 5.06
telnet 176.16.1.0 255.255.255.0 Inside
telnet 192.168.0.0 255.255.0.0 Inside
telnet timeout 5
ssh x.x.x.x 255.255.255.248 Outside
ssh 176.16.1.0 255.255.255.0 Inside
ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.59.59.177 source Outside prefer
group-policy mdremote internal
group-policy mdremote attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value xxxxxxxxxxxxxx.com
client-firewall none
username xxxxxxxxx password xxxxxxxxxxxxx encrypted privilege 15
username admin attributes
vpn-group-policy xxxxxemote
username xxxxxx password xxxxxxxxx encrypted privilege 15
username xxx attributes
service-type nas-prompt
username xxx password xxx encrypted privilege 15
username xxx password xxx encrypted privilege 15
username xxx attributes
vpn-group-policy mdremote
username xxx password encrypted
username xxx attributes
vpn-group-policy mdremote
username xxx password xxxx encrypted
username xxx attributes
vpn-group-policy mdremote
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mdremote type remote-access
tunnel-group mdremote general-attributes
address-pool mdpool2
authorization-server-group LOCAL
default-group-policy xxx
authorization-required
tunnel-group mdremote ipsec-attributes
pre-shared-key *
!
class-map MAC-SSH-Outside-class
description Limit to 512K
match port tcp eq ssh
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map SSH-Outside-policy
description Limit MAC SSH Outside-policy
class MAC-SSH-Outside-class
police input 512000 2048
police output 512000 2048
set connection timeout dcd 0:15:00 5
!
service-policy global_policy global
service-policy SSH-Outside-policy interface Outside
prompt hostname context
Cryptochecksum:3a77734e98758f89e18a5c0278880c7c
: end
asdm image disk0:/asdm-623.bin
no asdm history enable
10-14-2010 09:54 AM
10-14-2010 12:46 PM
Here it is
interface Ethernet0/2
nameif inside2
security-level
ip address
nat (inside2) 20 192.168.0.0 255.255.0.0
global (Outside) 20 xx.xx.xx.70
access-list police-acl permit ip 192.168.0.0 255.255.0.0 any
class-map tcp-traffic-class
match access-list police-acl
policy-map police-pm
class tcp-traffic-class
police output 3000000
police output 3000000
service-policy police-pm interface outside
I hope it helps.
PK
10-14-2010 07:10 PM
I think PK meant to say
policy-map police-pm
class tcp-traffic-class
police input 3000000 ----------->input
police output 3000000
-KS
10-15-2010 03:43 PM
Thank you.
10-15-2010 05:59 PM
Please mark it as resolved, if it is, so that other can benefit from it in the future.
Rgs,
PK
10-20-2010 03:41 PM
Pkampana,
Ok, will do, thanks again.
I applied the config today and got this error:
ERROR: Policy map SSH-Outside-policy is already configured as a service policy
We do limit SSH traffic bandwidth for Macintosh backups from outside to inside.
What do I need to do with this?
Can we apply the policy to the inside2 interface instead to cap the bandwidth?
Please advise.
Here are the relavent pieces from the sho run:
...
class-map MAC-SSH-Outside-class
description Limit to 512K
match port tcp eq ssh
...
policy-map SSH-Outside-policy
description Limit MAC SSH Outside-policy
class MAC-SSH-Outside-class
police input 512000 2048
police output 512000 2048
...
PS We are limited to one policy per interface.
Thank you,
John
Message was edited by: jwaskewics
10-20-2010 05:49 PM
Yes, only one policy can be applied per interface and one globally.
Each policy can have multiple classes that police differently.
PK
10-22-2010 12:42 PM
PK,
Ok, thanks.
So, how can I modify the existing policy to have another class to police this traffic on this inside2 interface?
Or, what would you suggest.
FYI, I tried to add a new class via ASDM into the existing policy for the outside interface to police traffic on inside2, but I could not see how to only specify the inside2 traffic to policce as it appears to be effect the entire outside interface.
Please advise and thank you.
John
10-26-2010 03:05 PM
Any updates on this guys?
Thanks.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide