All,
I am looking to see if host based internet rate limiting is possible on an ASA for internet (not intranet) traffic. Here is what I am trying to accomplish:
- allow a single user 512Kbps per flow with a burst ability of 1Mbps
- only rate limit on inbound (download)
- exempt RFC1918 to 1918 private IP addressing (intranet) which flows from VPNs and DMZs towards the host
I put something together like this:
access-list internet_web remark --- ACL for matching non-intranet web traffic ---
access-list internet_web remark --- to per-flow rate limit ---
access-list internet_web remark --- ---
access-list internet_web remark --- First, exclude intranet traffic ---
access-list internet_web deny tcp object-group RFC1918 object-group RFC1918
access-list internet_web remark --- ---
access-list internet_web remark --- Next, match remaining TCP 80/443/8080/8443 ---
access-list internet_web permit tcp any eq 80 any
access-list internet_web permit tcp any eq 8080 any
access-list internet_web permit tcp any eq 443 any
access-list internet_web permit tcp any eq 8443 any
Classify traffic that matches that ACL
class-map internet_web_traffic
match access-list internet_web
Build a policy on how to treat “each flow” matching that classification. This policy limits each flow (download or stream) to 512Kbps, but allows burst up to 128KBps (1Mbps – notice big ‘B’).
class-map internet_web_traffic
match access-list internet_web
match flow ip destination-address
!
policy-map internet_web_limit
class internet_web_traffic
police output 512000 128000
Apply policy to firewall host serving interfaces
service-policy internet_web_limit interface inside
service-policy internet_web_limit interface Guest_Wireless