Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
0
Helpful
2
Replies

traffic shaping based on ports. source and destination ports are different

aarru1977
Level 1
Level 1

‎04-07-2020 10:09 AM

Hello. i was wondering why this setup im using doesnt work. I have an asa 5506-x with traffic policing on. I have a service policy rule to limit port tcp/8080 to 3MBit traffic. I have tried to set it up under global, inside and outside interfaces. There is nothing special here, a simple NAT to the internet with 1 ip inside and outside. when I turn it on, it works only for the return traffic. what I did as a test is I set it up to shape Speedtest.net. the download side never works, but the upload works as expected. What I found was that the initiation port is 8080 and then it uses a high port to finish the communication. the asa probably shapes the first part correct regardless in or out but misses the higher 1024+ port. I did one additional test where I included everything to be shaped and it worked as expected. but I want to limit it to just port tcp8080. ive tried every combo of interfaces and direction but im not getting the sense that the firewall is detecting the 8080 and then the return high port flow. at least not for the policing. any thoughts? thank you.

Labels:
0 Helpful
2 Replies 2

Aslan Qoujaq
Cisco Employee
Cisco Employee

‎04-28-2020 05:07 PM

Hello,

  can you please send me the following

 - show run access-list "access-list name that matching traffic"

- show run class-map 

- show run policy-map 

0 Helpful

aarru1977
Level 1
Level 1
In response to Aslan Qoujaq

‎05-04-2020 07:59 AM

thanks for the reply. I guess the big question I had is that I thought it was stateful meaning if the traffic left of 443 it would keep track of it its return port. what im seeing is it traffic policies the 443 no problem, in any direction or interface. but the remote system is returning on a high port that it isn't policing. I would think the statefulness would know that and block it as well. below is the test config I used. I tested it on Speedtest.net and the download does NOT work but the upload test DOES work. thank you!

 

there is no access list associated with this, I just have a default any any for internet traffic outbound

 

 

class-map inside-class

 match port tcp eq 8080

 

 

 

 

 class inside-class

  police input 80000 1500

  police output 80000 1500

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents