auraza Thu, 10/08/2009 - 14:44
User Badges:
  • Cisco Employee,

AFAIK that is not a possibility. You may be able to restrict it to the tunnel-group that the AnyConnect clients are connecting to.

MJonkers Thu, 10/08/2009 - 22:19
User Badges:

Hi, that would I see as a huge improvement for the asa 5550 if that would be possible!

The only thing I am searching for now is how to block or lower the bandwidth in use by p2p (bittorrent over the vpn connection).

NBAR does not work on a ASA 5550.



auraza Fri, 10/09/2009 - 13:55
User Badges:
  • Cisco Employee,

Yes, it would be. The only way I can think of doing it per anyconnect client would be to create one acl per IP address that the client is going to get handed out, and then apply policing to it. Too much work though.

CSCO11814682 Wed, 06/12/2013 - 07:03
User Badges:

Hi Marc, I would probably use split tunnelling to keep internet traffic off your VPN tunnels, or failing that set up QOS on your network and limit the VPN to a certain portion of your overall bandwidth. With something like the below on the ASA you can limit how much of your bandwidth is allocated to your remote access or site-to-site connections by grouping them into classes and policing the bandwidth:


  police input 2048000 768000

  police output 2048000 768000


  police input 6144000 48000

  police output 6144000 48000

Obviously you'd also need a service policy applied to your outside interface, plus the ACL's, objects, etc, for the QOS.


This Discussion