I'm trying to get a service-policy setup that rate-limits the http traffic our users are creating by surfing the net. In our case, our asa actually sits with our ISP, so I'm trying to cut down on the bandwidth costs the http traffic is taking up from the inside interface of the asa across our wan link to our home office.
We have an internal proxy server that all the users in the company use for accessing the internet. This is perfect, cause it's only the traffic to this proxy server that I want to limit.
Proxy server: 192.168.1.5 (is on the inside interface of the asa)
Our ASA already has the default "service-policy global_policy global" command in there along with the default-inspection and I don't intend on changing that unless I have to.
So, I've created this:
!
access-list in_http extended permit tcp any host 192.168.1.5
!
!
class-map in_http
match access-list in_http
!
policy-map in_http
class in_http
police output 500000 50000
!
service-policy in_http interface inside
!
My question is, on the service-policy command, should I apply that policy to the inside interface of the asa or the outside interface? I want to police the traffic coming into our firewall destined for 192.168.1.5 (our proxy server) on the inside interface. I'm hoping the ACL I created there matches all the traffic destined for the server..
Here's a clip from a "show connection" on the asa that shows an internet connection from the proxy server:
TCP out xxx.xxx.xxx.xxx:80 in 192.168.1.5:4301 idle 0:00:07 bytes 3763 flags UIO