×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

QoS on Cisco ASA 5505 configured as Easy VPN Client

Unanswered Question
Jun 8th, 2012
User Badges:

Hi,


I have Cisco ASA 5505 configured as easy vpn client (mode network extension). Asa connects to internet by DSL link with 10Mbps/1Mbps bandwidth.

I have configured split-tunneling on ASA 5510 which is acting as a VPN concentrator so that people at remote office could go out and browse the web. I want to set QoS so that VPN traffic gets a bigger portion of bandwidth (upload and download) and limit NON-VPN trafic to some predefined value (again both upload and download) with speceific accent on upload as it is only 1Mbps. I have created class-map named vpn-traffic and used access-lists to match ESP and ISAKMP packets. Since asa is configured as easy vpn client I can't use tunnel-group as match criteria, or I could but i dont know how?

The idea was to match VPN traffic to class vpn-traffic and let all other traffic fall to class-default class and then apply policies to those classes. Below is the configuration of my ASA5505. There is a problem with configuration as all traffic is limited to value configured for class-default class. Command "show service-policy police" shows that VPN traffic is classified to both classes. How can I fix this?


ASA Version 8.4(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ------------------- encrypted

passwd ------------------- encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.13.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list VPNQOS extended permit udp any any eq isakmp

access-list VPNQOS extended permit esp any any

access-list VPNQOS extended permit udp any any eq 4500

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.13.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.13.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup GROUP1 password *****

vpnclient username USER1 password *****

vpnclient enable

dhcpd auto_config outside

!

dhcpd address 192.168.13.2-192.168.13.33 inside

dhcpd dns 192.168.1.5 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username admin password ------------------ encrypted privilege 15

!

class-map vpn-traffic

match access-list VPNQOS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

policy-map qos-out

class vpn-traffic

  police input 9000000 10500

  police output 768000 10500

class class-default

  police input 1000000 1000

  police output 256000 1000

!

service-policy global_policy global

service-policy qos-out interface outside

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9fe208a62d936b8402043d5ba089c1a0

: end

ciscoasa#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion