I have a customer that is a 2 office medical practice that has a VPN setup between the offices with an ASA5505 on each end. They have a T-1 at each office and they do RDP sessions from the remote office to the main office over the VPN. The trouble comes in when they try to transmit claims and I guess the provider on the other end can take the claims as fast as they can send them so it totally swamps the T-1 and kills the RDP sessions from the remote office.
So I have this in my configuration:
class-map outside-class match flow ip destination-address match tunnel-group 18.104.22.168 ! ! policy-map outside-policy class outside-class police output 500000 1500
The main question I have is this limiting the traffic over the VPN to 500K or is it reserving 500K for the VPN traffic? I have kind of seen it described both ways and even a description that indicated maybe the 5505 does it differently from anything else. The ASAs in question here are currently running 8.2(2).
! access-list outside_mpc extended deny ip any host 22.214.171.124 ! class-map outside-class match access-list outside_mpc ! ! policy-map outside-policy class outside-class police output 800000 1500 !
It is a T-1 and comes through Cbeyond which they have there IAD out front that does voice and data. So, I figure 800Kb for everything then that leaves 700Kb for everything else including the voice and VPN. The IAD that Cbeyond has in place will handle any QOS requirements for the voice once it gets out there.
Also, you can't relly specify anything NOT part of a tunnel group so I just used the endpoint of the VPN for the ACL.
This seems fine to me although I have never tinkered with only VPN traffic. The one thing I notice wrong is that you don't have a second part to your access-list. If you only have one deny, then by the rules of the access-list everything else is implicitly denied as well.
so it should be like:
access-list outside_mpc extended deny ip any host 126.96.36.199 //Deny the traffic we don't want to limit
access-list outside_mpc extended permit ip any any //Permit the traffic we do want to limit
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...