Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

guest wireless access through ASA

We have an interface on a ASA5520 connected to the internet.  On one of the other interfaces we have the wireless gateway configured for guests to access the internet when needed.  Now employees are using their personal laptops to take advantage of unregulated internet access which has on several occasions saturated the access to the internet to a standstill.  Is there a way to limit the through put by a percentage of the main internet interface or some way to limit their speed?  We only have a 10mg internet pipe.

Cisco Employee

Re: guest wireless access through ASA

You can police the wireless users traffic based on ip address as explained here

They will still be contending but they will be contending between each other about the bandwidth you have given them and they will not oversubscribe your wired users if you give them less than 10Mbps.

You cannot limit bandwidth per user though, you can limit connections per user using Modular Policy Framework, but not actual speed.

I hope it helps.


Community Member

Re: guest wireless access through ASA

I guess i need to spend some time on MPF. I have the service policy: global policy but can i add other policy maps without interfering the global policy? And could this policy be set on the wireless interface?

Cisco Employee

Re: guest wireless access through ASA

Yes you can apply a policy on a per interface basis

ASA(config)# access list CONNS-ACL extended permit ip any
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

ASA(config)# policy-map CONNS-POLICY

ASA(config-pmap)# class CONNS-MAP
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Note that you are limiting the connection number not the actual bandwidth with the "per-client-max" option.


CreatePlease to create content