QoS Pix

Unanswered Question
Nov 5th, 2007
User Badges:


I would like to implement QoS on Pix 7.0(4). We connect to our customers using Cisco VPN client(remote access VPN).

I would like to prioritize this traffic, because these VPN connections are slow and e.g. browsing is fast.

What is the best match in class-map command to cover this traffic? I tried

match port tcp 3389(because we especially use terminal services to connect to remote systems through VPN). Or is better to use ACL with remote public IP(where VPN ends).

Could you please advice me.

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
excession Mon, 11/05/2007 - 06:16
User Badges:

! First match VPN traffic.

! Use an access-list

hostname (config)# class-map VPN-TRAFFIC

hostname (config-cmap)# match access-list ...

! Apply this in a QoS map in such a way that traffic matched by class-map "VPN-TRAFFIC" will be made priority

hostname (config)# policy-map QoS

hostname (config-pmap)# class VPN-TRAFFIC

hostname (config-pmap-c)# priority

! Create the Priority queue on interface "blah"

hostname(config)# priority-queue blah

! Now we can apply this policy "QoS" on the "blah" inferface

hostname (config)# service-policy qos interface blah

You might also be able to use a "tunnel-group" to match traffic. Refer to http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/qos.html#wp1045016

for more details.

By the way if you are using a sub interface the "service-policy" is applied on the sub interface but "priority-queue" is applied on the physical interface.


This Discussion