Cisco Firewall :: ASA 5510 Traffic Shaping For Single IP?
Sep 8, 2011
I would like to know if there is a way to apply in the Cisco asa 5510 traffic shaping not for a interface but a single IP address.For example i would like to limit the bandwith for the IP address of my FTP server.
I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.
The inside IP for the ASA is 192.168.25.1 The outside IP for the ASA 192.168.11.54
Here is my current configuration:
: Saved : Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012 ! ASA Version 8.2(5)
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
ASA 5520 can handle 2 ISP? not to load balance or not standby/active but to use the 2 ISP at the same time and separately. for example, ISP_A who has 10m will be dedicated to the customer A/VLAN A, then ISP_B who has 4m will be for the rest of the customer's traffic. Can the ASA 5520 do traffic shaping or policy map just like in a normal router?
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
I have a question around pix 501 (6.3) configuration. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
I am a traffic shaping newcomer and need some guidance as how to BEGIN to approach a problem with traffic. We have been rolling out Windows 7 at sites and the additional traffic it causes on installation is considerable as it has to request information from our central site to populate My Documents and Outlook mailboxes.This has caused some problems on sites as there traffic rates increase to the point that QoS is not sufficient to protect voice traffic and delays and one-way audio are being experienced.One question is this - is GTS a solution or is CBWFQ within GTS the solution or is something else preferable? The sites involved are data/voice with a variety of routers.Second question is this - if we have a remote site with a 3725 router as the WAN aggregator with one 4506/Sup IV and one Cat 3550-24-PWR the shaping should be best placed on the 3725, correct? Also, are there issues with shaping incoming/outgoing traffic as I seem to have read?FYI, the 3725 router has 12.4(8d) with IP VOICE/NO CRYPTO IOS version. The 4506 has 12.1(23)E4 with basic L3 feature set.
I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 220.127.116.11 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
What's the good, inexpensive way to add traffic shaping to a small network? Let's say there are about 20 users on a T1 circuit. Existing router is an Adtran 3430 (from the telco so we can't touch it). Everything works fine except when they get really heavy with uploads/downloads when document scanning, and the telnet sessions to the mainframe app start getting dropped. Major PITA. Basically need to make telnet traffic a priority.Now, I could drop a pfSense box in there using an old workstation, but I'd like something I can stick in a rack, or is at least really small and hopefully under $200 or so.
I have a 3825 with a 1Gb fiber card at one of my sites. Our ISP and MPLS provider hand off a single gigabit fiber to us that contains 2 50MB EVC's.I need to apply QoS to one of the EVC's and shape them both to 50Mb to avoid upstream rate mismatch bottlenecks. Both of the EVC's generally only push 10Mb during business hours.When I run UDP stream tests (various rates from 500k-6m that are marked as AF41) to one of my other sites I am consistently getting about 2% packet loss, despite the fact the circuit isn't even close to 50% saturation. When I remove Shaping and QoS all together, the issue nearly clears itself up, except during peak hours and I get small bursts of packet loss, which is still unacceptable.When the pipe is at near zero utilization (after hours) there also is no packet loss with or with out the shaping/qos applied.
There is a remote server that downloads info from a server here at HQ. When the dowloads start the rxload on the S0/0/0 interface jumps to 98 percent or so; rxload 250/255. I needed to limit the bandwidth utilization between the servers, so I added the below line to the LAN interface on the remote router.By adding the command, it reduced the download utilization -which is what I wanted.
access-list 185 permit ip host 10.6.27.1 any ! int f0/0 traffic-shape group 185 10000 8000 8000 1000
Question:How would applying this to the LAN interface cause the download utilization (Coming from s0/0/0) to decrease?
I want to take 100Mb incoming from a service provider and police it off into several VRFs for customers.One of these VRFs will be 30M.I further need to traffic shape this (30Mb) out to 40 x 0.75Mbps (burstable to 30M) customers.
I have a client who has Cisco 3800 series routers in their data centre with which they have QoS/CoS policies implemented. They wish to further manage traffic by limiting outbound traffic to their branch sites in line with the network access bandwidth each site has available. Is this possible whilst leaving the QoS policies in place? If so how?
I have following scenario - router 2911 connected to 2950 switches with about 80 vlans. How can I limit speed on each of the 79 vlans (to equal % acros all of them) and give vlan 80 lets say 30% of total bandtwith. Since I am new to QOS, can you point me to the right website or give me example.
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address) 2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 18.104.22.168 Public (outside) address = 22.214.171.124 Email server internal = 10.1.2.3 Internal private subnet for users = 10.0.0.0/8
I am suggesting an ASR1001 as a head end router for a small hub spoke WAN consisting of 4 branch sites connecting to the head via LES. 3 are 100mb, one is 30 mb. I will be connecting the LES circuits to a swithc and then trunking to the router. I would like to apply outbound shaping to these 4 subinterfaces on the router, and just want to check this is supported?
I'm new to an ASA 5510 running 8.4(3) and am trying to figure out something regarding time ranges in ASDM. I simply want to allow a single port during business hours only (I'm not concerned about open sessions needing to be closed). So as an example I add a rule something like:
(RULE1 on the internal interface) SRC=INTERNAL DEST=ANY SERVICE=RDP ACTION=PERMIT with a time range set for weekdays 8:00-16:59. I did a test after 5pm on a weekday and was still allowed to do RDP to a server (from INTERNAL), and after using the packet trace tool saw it was still passing through due to a rule a couple lines down (rule 4) that allowed a port range that happened to include port 3389. So my question is if I specify an "allowed" time range and someone attempts access outside that time range, why doesn't it drop it right there? I guess I'm assuming that anything outside the "allowed" time range would be dropped but that doesn't seem to be the case. I'm also assuming the rule base is processed top to bottom.
We are looking to implement a bandwidth policy for our Internet link. What i would like to know is if we use a policing policy, will the exceeded dropped packets be resubmitted from the source? Will the dropped packets be resubmitted? Are there any differences besides this when using either policing or shaping policies? Is one better than the other?
We are a new medical school located in PA. Just have just completed a new building and are now working on getting our network finished. Here is the situation we have a 50MB Internet Connection that comes into our network that then hits the ISPs Cisco 3750 which sends it to two of our Cisco 3750s for redundancy. From the 3750 goes into our Cisco 6509 with a FWSM module, then out from there to our distribution switches which are all Cisco 2960s.
What we would like to do is to control how much WAN connectivity each of our VRFs get. Right now we have a Faculty, Student, and Research VRF formed, and are trying to figure out the best spot where we can say Faculty gets 30MB of Bandwidth, Students gets 10, and Research gets 10. If possible would like burst capabilities.
We have an ISP connection that is connected via an ethernet interface on a 5510 ASA. We are allotted 10Mbps. I have currently have the interface set to 10Mbps Full. However we want to upgrade the connection to 25Mbps. I know I can set the port speed to 100Mbps and then set a shape/police statement and shape down to 25Mbps.
Management wants to be able to call the ISP and arbitrarily adjust that speed up temporarily at any time without any user/admin intervention on our side. I can simply leave the port at 100Mbps i.e. no shape statement on my side however I will run into problems with large amounts drops, overruns, retransmissions, etc due to the ISP shaping the connection speed during normal operations. However they then could then adjust the speed at any time without needing me.
I do not know the best way to make this work. Is there some sort of dynamic/smart shaper in the ASA or another cisco device?
I have lots of PPPoE users that get Virtual Access interfaces created upon login based on a virtual template. I need to traffic shape them. I know how to get it to work on an individual basis, because the policing within a service policy works fine. As soon as i change it to shaping it leaves things wide open.I really dont care how it gets done, I just need to be able to specify a speed to be traffic shaped and apply that to a virtual template. I need to limit speeds on the download and upload, i understand that the upload i will use the policing, but the download i need it to smooth out the flow and be traffic shaped, not policed.
Here is my Policies and classes:
*** policy-map CHILD class class-default bandwidth 1650policy-map PARENT class class-default shape average 1650000 service-policy CHILD**** Here is my Virtual Template: **** interface Virtual-Template8 description pppoe-auth-FTTH ip unnumbered FastEthernet0/0 ip access-group subs-in-FTTH in ip mtu 1493 timeout absolute 6120 0 peer default ip address pool FTTH-POOL ppp authentication pap pppoe-auth ppp authorization pppoe-auth ppp timeout idle 84600 service-policy output PARENT
The results i am getting is unrestrcited throughput, i am seeing about 40mb of throughput when the target is to limit to 1.65MB. As you can see from the output the PARENT class is seeing 279116 packets, but the shaper only saw 59. In all the examples i see on the internet these two numbers should be the same. Why is the shaper not acting on all the traffic crossing that class/policy?
I make qos on VPN Tunnel, but i make command service-policy output name, it show the error below Traffic Shaping feature is not supported in user defined class of parent level policy.My cisco router 1921, IOS : c1900-universalk9-mz.SPA.150-1.M5.bin
We have some ASR WAN routers which have a dedicated 400M interface to a remote site.
Servers on our Local network source the data through some firewalls via 10G interfaces, which connects to 4500X WAN switches then to the Routers on 1G links.
The sources are rate limiting the traffic but the routers are periodically dropping packets which I think is mostly due to burstiness in the traffic between as it traverses through from 10G links to 1G then to 400M.
How to setup traffic shaping on the 4500X outbound port to our WAN routers.I'd like to see if we could buffer and smoothe out the traffic as it exits the 4500X WAN switch 1G port to the WAN Routers.
I have catalyst 3750 I want to controle traffics on every port I have tried Frame-Relay Traffice shaping and Quality of service but there is no support for these commands in the switch.do we have any way to limit traffic on every port in catalyst 3750 and 2960 switches ?
I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
P.S.: I'm using a 5510 machine running version 8.2