05-18-2014 07:00 AM - edited 02-21-2020 05:11 AM
All,
I am looking to see if host based internet rate limiting is possible on an ASA for internet (not intranet) traffic. Here is what I am trying to accomplish:
- allow a single user 512Kbps per flow with a burst ability of 1Mbps
- only rate limit on inbound (download)
- exempt RFC1918 to 1918 private IP addressing (intranet) which flows from VPNs and DMZs towards the host
I put something together like this:
Classify traffic that matches that ACL
Build a policy on how to treat “each flow” matching that classification. This policy limits each flow (download or stream) to 512Kbps, but allows burst up to 128KBps (1Mbps – notice big ‘B’).
Apply policy to firewall host serving interfaces
06-21-2014 02:32 AM
Hi,
I do not think it will be able to do per user based rate limiting... it is poosible when you have the active directory integeratedf to it... But how ever.... you can do with some limitations.....
And one more thing your ACL has wrong entries with respect tp port mapping
Source should be any and destination should be any eq 80/443/8080
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp535067
HTH
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide