Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

QoS on Cisco ASA 5505 configured as Easy VPN Client


I have Cisco ASA 5505 configured as easy vpn client (mode network extension). Asa connects to internet by DSL link with 10Mbps/1Mbps bandwidth.

I have configured split-tunneling on ASA 5510 which is acting as a VPN concentrator so that people at remote office could go out and browse the web. I want to set QoS so that VPN traffic gets a bigger portion of bandwidth (upload and download) and limit NON-VPN trafic to some predefined value (again both upload and download) with speceific accent on upload as it is only 1Mbps. I have created class-map named vpn-traffic and used access-lists to match ESP and ISAKMP packets. Since asa is configured as easy vpn client I can't use tunnel-group as match criteria, or I could but i dont know how?

The idea was to match VPN traffic to class vpn-traffic and let all other traffic fall to class-default class and then apply policies to those classes. Below is the configuration of my ASA5505. There is a problem with configuration as all traffic is limited to value configured for class-default class. Command "show service-policy police" shows that VPN traffic is classified to both classes. How can I fix this?

ASA Version 8.4(1)


hostname ciscoasa

domain-name default.domain.invalid

enable password ------------------- encrypted

passwd ------------------- encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object network obj_any


access-list VPNQOS extended permit udp any any eq isakmp

access-list VPNQOS extended permit esp any any

access-list VPNQOS extended permit udp any any eq 4500

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400


object network obj_any

nat (inside,outside) dynamic interface

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh inside

ssh timeout 30

console timeout 0

vpnclient server

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup GROUP1 password *****

vpnclient username USER1 password *****

vpnclient enable

dhcpd auto_config outside


dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


username admin password ------------------ encrypted privilege 15


class-map vpn-traffic

match access-list VPNQOS

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

policy-map qos-out

class vpn-traffic

  police input 9000000 10500

  police output 768000 10500

class class-default

  police input 1000000 1000

  police output 256000 1000


service-policy global_policy global

service-policy qos-out interface outside

prompt hostname context


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end


Everyone's tags (5)
CreatePlease to create content