I have a customer with a 5510 that recently sub-leased their office. I would like to give the sub-tenant their own "portion" of our bonded T1's, yet keep ALL network traffic separate. I understand the the WAN traffic will comingle and this is ok.
We currently have inbound rules setup for the main tenant that allow certain external IPs to translate to internal servers, e.g. Citrix, Exchange, etc. We also have some "deny's" setup for IPs at myspace, facebook, etc.
The sub-tenant will only need one single NAT'd external IP, which we have available.
We need to also LIMIT the bandwidth for the sub-tenant at 3 MBPS.
Ethernet 0/2 and 0/3 are available.
The firewall rules for the subtenant will be simple and will allow all traffic that originates inside to go out then come back in, but will deny all traffic originating from outside trying to get in.
Can this be done on the ASA? Can it be done "relatively" easily?
Please advise and post any samples or Cisco "walk throughs" for this. Please advise on potential pitfalls as well.