Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
10
Helpful
3
Replies

Restricting the bandwidth for particular subnet in ASA 5545

shoaib sheikh
Level 1
Level 1

‎02-05-2015 09:37 PM - edited ‎03-11-2019 10:27 PM

Hello Freinds,

We have ASA 5545 connected to internet Router 3925. We are creating
site to site VPN From Firewall and want to restrict the bandwidth  of the users
travelling in the VPN. I know the process for router but not getting the 
configuration for firewall as options for policing traffic are not coming under policy-map command in ASA.

Configuration for router:


ip access-list extended 105
permit ip 10.10.10.0 0.0.0.255 any


class-map test
match access-group 105

policy-map test1
class test
police cir 1000000
conform-action transmit
exceed-action drop
violate-action drop


int Gixx
service-policy output test1


Please help me with the equivalent configuration for ASA 5545.

Labels:
0 Helpful
3 Replies 3

Shrikant Jadhav
Level 1
Level 1

‎02-09-2015 05:00 AM

Hi Shoaib,

you can do the same by referring below on ASA:

CLASSIFYING TRAFFIC-:

access-list capin1 permit ip 10.10.10.0 0.0.0.255 any

access-list capin1 permit ip any 10.10.10.0 0.0.0.255
Access-list cap permit ip any any ---> this is for all other traffic except 10.10.10.0

MATCHING THE TRAFFIC-:

class-map capin1 
match access-list capin1

Class-map cap
Match access-list cap

TAKING THE ACTION UNDER THE GLOBAL POLICY-:

policy-map global_policy
class capin1
police input 1000000 -------to allocate the 10 Mbps for only 10.x.x.x network IN and OUT
police output 1000000
Class cap
Police input 20000000 ------to allocate the 20 Mbps for other network subnets IN and OUT
Police output 20000000

 

Thanks

Shrikant

APPIREDDY
Level 1
Level 1
In response to Shrikant Jadhav

‎02-09-2015 10:11 AM

In ASA the access list wouldn't take wild card mask, instead it should be subnet mask, hence

 

access-list capin1 permit ip 10.10.10.0 0.0.0.255 any

access-list capin1 permit ip any 10.10.10.0 0.0.0.255
Access-list cap permit ip any any ---> this is for all other traffic except 10.10.10.0

 

should be

 

access-list capin1 permit ip 10.10.10.0 255.255.255.0 any

access-list capin1 permit ip any 10.10.10.0 255.255.255.0
Access-list cap permit ip any any ---> this is for all other traffic except 10.10.10.0

shoaib sheikh
Level 1
Level 1
In response to Shrikant Jadhav

‎02-19-2015 08:52 PM

Hello Shrikant,

 

Thanks for your input. The ASA is giving the the following error when putting police command.

 policy-map global_policy

class restrict_FL

 police ?

ERROR: % Unrecognized command

 

For your information the ASA is 5545 and I am trying to put this command in context mode. So, please let me know the commands supported in context.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card