03-16-2009 04:48 AM - edited 03-11-2019 08:05 AM
Hello at all.
I need to apply a rate limit, on ASA firewall, when a specific subnet connects to Internet.
Thanks for help.
Andrea
Solved! Go to Solution.
03-16-2009 08:45 AM
"Be patient Jon"
Sorry Andrea, didn't mean to come across as impatient :-).
You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.
If you want to rate-limit inbound you would need to talk to your ISP.
Jon
03-16-2009 05:06 AM
Andrea
Assuming 192.168.5.0/24 is the subnet -
access-list rate_subnet permit ip 192.168.5.0 255.255.255.0 any
class-map rate_subnet
match access-list rate_subnet
policy-map rate_qos
class rate_subnet
police output
service-policy rate_qos interface outside
see this link for full details -
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
Jon
03-16-2009 06:44 AM
Hi Jon and many many thanks for your help.
I have another question.
I understand that 192.x.x.x is the pre-NAT subnet. Because the service policy is applied only in the output direction than I do not understand how the ACL can match inbound (traffic from Internet)!
Regards.
Andrea.
03-16-2009 07:49 AM
Andrea
From the doc i sent -
"Note: Policing is applied only in the output direction"
So you cannot police inbound on the ASA.
Jon
03-16-2009 08:15 AM
Be patient Jon...
So I'm not able to apply a rate limit to a file transfer from Internet!?
Andrea
03-16-2009 08:45 AM
"Be patient Jon"
Sorry Andrea, didn't mean to come across as impatient :-).
You can rate-limit the outgoing traffic but not the incoming traffic from the Internet. Actually strictly speaking you could rate-limit the imcoming traffic from the Internet with a service policy outbound on your inside interface but this isn't helpful as the traffic will already have come across your Internet link and used up bandwidth.
If you want to rate-limit inbound you would need to talk to your ISP.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide