With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance.
I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.
Scenario 1:
We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.
Configuration Snippet:
ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1
ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl
ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000
ASA(config)#service-policy limit-policy interface outside
Scenario 2:
We need to apply a rate bandwidth limit to an internal LAN computer so that it will use a maximum of 5Mbps from our Internet line.
Assume the internal LAN host is 192.168.1.1
Configuration Snippet:
ASA(config)#access-list rate-limit-host extended permit ip host 192.168.1.1 any
ASA(config)#access-list rate-limit-host extended permit ip any host 192.168.1.1
ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-host
ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 5000000 8000
ASA(config-pmap-c)#police input 5000000 8000
ASA(config)#service-policy limit-policy interface inside
Related Posts
- What is Cisco ASA Firewall – All you need to Know
- Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
- Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
- Cisco ASA 5505, 5510 Base Vs Security Plus License Explained