QoS on Cisco ASA 5505 configured as Easy VPN Client
I have Cisco ASA 5505 configured as easy vpn client (mode network extension). Asa connects to internet by DSL link with 10Mbps/1Mbps bandwidth.
I have configured split-tunneling on ASA 5510 which is acting as a VPN concentrator so that people at remote office could go out and browse the web. I want to set QoS so that VPN traffic gets a bigger portion of bandwidth (upload and download) and limit NON-VPN trafic to some predefined value (again both upload and download) with speceific accent on upload as it is only 1Mbps. I have created class-map named vpn-traffic and used access-lists to match ESP and ISAKMP packets. Since asa is configured as easy vpn client I can't use tunnel-group as match criteria, or I could but i dont know how?
The idea was to match VPN traffic to class vpn-traffic and let all other traffic fall to class-default class and then apply policies to those classes. Below is the configuration of my ASA5505. There is a problem with configuration as all traffic is limited to value configured for class-default class. Command "show service-policy police" shows that VPN traffic is classified to both classes. How can I fix this?
ASA Version 8.4(1)
enable password ------------------- encrypted
passwd ------------------- encrypted
ip address 192.168.13.1 255.255.255.0
ip address xxx.xxx.xxx.xxx 255.255.255.248
switchport access vlan 2
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list VPNQOS extended permit udp any any eq isakmp
access-list VPNQOS extended permit esp any any
access-list VPNQOS extended permit udp any any eq 4500
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...