Cisco WAN :: Traffic Shape Per Policy (ASA5510 With 8.x Software)

Jun 25, 2012

I have a asa 5510 with 8.x software and I want to reserve (i mean RESERVE not PRIORITIZE) traffic based on protocol, like if I have  a 10Mbit I want to :
- give 3 Mb for smtp

- give 5 Mb to http/s whatever

- 2 Mb for other stuff.
Of course QOS won't do that, can you do that with ASA?

View 1 Replies


Cisco Firewall :: Can Traffic Shape To 200Mbps On ASA5510

May 30, 2012

I have ASA5510. It's include security plus license.I want to traffic shape to 200Mbps. But , I checked a CCO.CCO said that  a shaping limit is 154400000. "Enables traffic shaping, where the average rate argument sets  the average rate of traffic in bits per second over a given fixed  time period, between 64000 and 154400000. "It's mean shaping limit 154400000 ?Can I shape to 200Mbps ?

View 2 Replies View Related

Cisco WAN :: 3825 - What Does Shape Average Percent Mean In QoS Policy

Jan 3, 2010

I am working at a client site that is an MPLS customer.  The customer has an MPLS circuit that runs between their Main HQ and their Disaster Recovery site.  I have been asked to analyze and report as well on the way the Qos Policy is written, and to provide any recommendations on how they can improve performance.There is a statement within the Qos Policy as it exists at each end on the 3825 routers.  The statement is called "shape average percent".  Here is the policy from one side:
policy-map QoS
class COS2_traffic
set dscp af31
shape average percent 12
bandwidth percent 13


What does this statement mean and how is it different than the the "bandwidth percent" statement?

View 2 Replies View Related

Traffic Shape Group 101 500000

Apr 21, 2012

what are the values of Bc and Be?interface fast 0/0 traffic-shape group 101 500000

View 11 Replies View Related

Cisco WAN :: Shape Output Traffic 2821

Mar 8, 2012

I have a Cisco 2821 with ios Version 12.4(21). On that router I have a WAN link that is 550mbit dual. The interface is 1000FD so i need to shape my output traffic to max 550mbit - otherwise my ISP policing is dropping the traffic.
I've looked at this document url... and i'm trying to use this interface command:traffic-shape rate
But the router wont accept rate value 550000000 that should be 550mbit in bits/s
Is it not possible to shape the traffic to 550mbit on the 2821 router?

View 10 Replies View Related

Cisco Firewall :: ASA5520 8.0(2) Does Not Have Traffic Shape Feature

Dec 21, 2011

Recently I want to apply traffic shape on my ASA5520, but after entering the configure mode of policy-map, I couldnot find the shape command.. If I type the command, the device would notify me that there is no such command..  My version is 8.0(2),PS. Police command is working fine...

View 5 Replies View Related

Cisco WAN :: Configured Policies To Shape Traffic On Interface Of 7206 Router?

May 1, 2012

I have configured policies to shape the traffic on the interface of cisco 7206 router. Now my managemet wants to configure these policies on time based ie policy should be applicable during specified time period onle. Is it possible? if yes how to configure it?

View 11 Replies View Related

Cisco Firewall :: Configure Policy NAT On ASA5510?

Apr 12, 2011

how can I configure policy NAT on ASA5510. I would like to do the following;     NAT to
 If source IP =
then NAT to     =
the rest NAT to =
The issue is I want NAT to when access The rest NAT to current NAT.

View 4 Replies View Related

Cisco Firewall :: ASA5510 / Create NAT Policy For Two DSL Connections?

Sep 20, 2012

How to configure our ASA to nat our to internetconnections, at the moment the first work fine,
ISP1                        NAT
ASA5510      LAN
ISP2                         NAT

View 1 Replies View Related

Cisco VPN :: How To Limit Maximum SSL VPN Sessions Per Group-policy On ASA5510

Nov 25, 2012

How to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).

View 5 Replies View Related

Cisco Firewall :: ASA5510 Delete Default Service Policy Rules?

Jan 7, 2013

We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.

View 2 Replies View Related

Cisco VPN :: ASA5510 / Make Some Local Policy With Client Of SSL VPN AnyConnect And Block Access To Internet

Dec 12, 2012

I can make some "local policy" with client of SSL VPN AnyConnect and block access to internet?

The user would only have access to the internet if he was connected to the VPN (by internal proxy).

View 10 Replies View Related

Cisco WAN :: 4507 Redirect Web Traffic Via Policy

Jul 12, 2011

We have W2K3 domain with Catalyst 4507 routers.Client (laptop, tablet etc) needs to redirect web traffic (port 80) to a proxy server that listens on port 8080.
Before you ask, this cannot be done using a PAC file distributed via Group Policy or the like because these devices are not controlled by us. These devices are client owned and could be non-Microsoft OS and/or non-IE browser. The theory is to have a WiFi network where clients can bring whatever they like - iPad, Android, Windows, whatever it may be but we do not control them and therefore cannot send a PAC file to it. In the case on Android it does not have a proxy setting even if we could force something.
I've looked at Policy Based Routing which appears to do half the job. I can route a web request that is on port 80 to a new location ie our proxy server. But the problem is that it arrives on the same port 80 when the proxy server only listens on port 8080.

View 10 Replies View Related

Cisco Switching/Routing :: WS-4507R / Policy For Traffic Shaping?

Feb 18, 2012

I am trying to do policy on the interfaces of my switch WS-4507R, below the configuration I used to shap the traffic to 1 Mbps. However, when I tested it the traffic excceded the 1 Mbps.
class-map match-all 1MB
  match access-group name 1MB
policy-map 1MB
  class 1MB


how I can restrict my bandwidth on the interface on 1 Mbps.

View 2 Replies View Related

Cisco Switching/Routing :: Traffic Policy Is Not Working On Catalyst 3750?

Jan 28, 2013

Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit 
still when I start download it goes to 10 mbps

View 12 Replies View Related

Cisco Firewall :: Can The ASA 5520 Do Traffic Shaping Or Policy Map Just Like In A Normal Router

Feb 13, 2011

ASA 5520 can handle 2 ISP? not to load balance or not standby/active but to use the 2 ISP at the same time and separately. for example, ISP_A who has 10m will be dedicated to the customer A/VLAN A, then ISP_B who has 4m will be for the rest of the customer's traffic. Can the ASA 5520 do traffic shaping or policy map just like in a normal router?

View 5 Replies View Related

Cisco Switching/Routing :: Switch 3750 / Policy Inbound Traffic Per IP?

Mar 2, 2012

We are using Cisco 3750 switches in our environment as distribution switches.We currently use to police inbound traffic, but we need to find a solution to limit inbound traffic per IP.Something like this “Inbound traffic for each IP can be maximum 1 Mbps” This can be done having, one ACL and one class-map for each IP, but in my situation is not a practical solution, because we have more than 500 IP’s on that site.
Is any way to accomplish this without writing 500 ACLs and 500 class-map?

View 2 Replies View Related

Linksys Wired Router :: BEFSX41 Creating Inbound Traffic Policy?

Feb 12, 2010

BEFSX41 V2.1
Firmware: 1.52.16
The manual states how to create an inbound traffic policy but if you follow the directions there is no place to select inbound traffic.From the manual: To Create an Inbound Traffic Policy1. Enter a Policy Name in the field provided. SelectInbound Traffic as the Policy Type.2. Enter the IP Address from which you want to block.Select the Protocol: TCP, UDP, or Both. Enter the portnumber or select Any. Enter the IP Address to whichyou want to block.3. Select Deny or Allow as appropriate.4. By selecting the appropriate setting next to Days andTime, choose when the Inbound Traffic will be filtered.5. Lastly, click the Save Settings button to activate thepolicy.When finished making your changes on this tab, click theSave Settings button to save these changes, or click theCancel Changes button to undo your changes.I want to filter out a range of ip addresses from trying to connect to my network.

View 3 Replies View Related

Cisco Application :: Apply Policy Only On Specific Subnet / Port 443 Traffic Can Be Redirect And Rest

Feb 16, 2012

I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.

View 8 Replies View Related

Cisco WAN :: Throttling Traffic Through ASA5510

Apr 17, 2013

Although this is not a common issue, we have experienced occasions where our internet utilization has been maxed out (slowing everyone else down). Utilizing some features in the ASA, such as Top Usage Stats, along with PRTG monitoring,  have always tracked the culprit down to being a single user -- be it someone downloading movies to a portable device, or downloading ISO's. (And for some strange reason it seems to always be a wireless user.)  We are using an ASA 5510 for our firewall, and I was wondering if its possible to prevent a single client from consuming a disproportionally large percentage of our internet bandwidth? If the ASA 5510 doesn't have the ability to do this on it's own, are there any recommendations for add-on solutions?

View 1 Replies View Related

Cisco Firewall :: ASA5510 Allow Traffic From DMZ To LAN

Sep 18, 2011

My device has 3 interfaces configured: inside, outside, DMZ.  Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement.  I am having a few issues setting up DMZ > LAN access however.  The servers running on the DMZ need to send information to my LAN such as syslog traffic for example.  Will DMZ traffic be NATed or should this somehow be excluded?  Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa.  Are there any special statements I need to add to the ASA such as nat or ACLs to make this work?  My LAN is and DMZ is

View 1 Replies View Related

Cisco WAN :: ASA5510 - Forward IP Traffic Through VPN?

Jul 4, 2011

ASA5510 configuration, I would like to know if it is possible (and how) to forward traffic received on WAN port of the first ASA to the server in LAN on the other side of VPN tunnel:
Internet (IP 85.128.50.x) – ASA5510 (192.168.1.x) – VPN tunnel – ASA5510 – LAN (172.16.71.x)
I need to have IP redirected to through VPN?

View 1 Replies View Related

Cisco VPN :: ASA5510 Can't Seem To Route Traffic To Both Interfaces

Sep 12, 2012

I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside which works, and have added 0/2 as Inside2 I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?

View 14 Replies View Related

Cisco VPN :: Tunnel Between ASA5510 And Pix Router Allows All Traffic?

Oct 1, 2011

We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our  other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.

View 5 Replies View Related

Cisco Firewall :: ASA5510 Not Routing Traffic To Internet

Sep 2, 2012

I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Separate Traffic By Protocol

Apr 9, 2012

I would like to connect a second ISP link to our ASA 5510 to solely serve http traffic from our organization's employees (ie. web surfing). We currently have all employee traffic and two site-to-site VPN tunnels connecting to the internet from this firewall. I want to keep the tunnels as currently configured on the existing connection and split out http/https traffic from our staff onto a less costly link.

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Inbound Traffic Being Blocked

Nov 7, 2012

I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?

View 1 Replies View Related

Cisco VPN :: ASA5510 - Slow Traffic On IPSec Tunnels

May 2, 2013

We have many VPN tunnels back to our corporate office.  All of these tunnels are very slow (same with our client VPN's).  Our main firewall device at the corporate office is an ASA5510.  We have a 100 Mb/sec Metro Ethernet internet connection here.  We do not allow split-tunneling.

Our remote sites vary.  We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down).  The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.

To take an example.  On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms.  And I'm pinging back through another 100 Mb/sec connection.  If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100.  Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue. 

Right now, all my MTU's are just set to the default 1500.  Perhaps this is too high.  I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls.  I pinged from a machine on one side of the tunnel to the firewall on the other end.  I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right?  The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)

So, do I just need to set my MTU values to the appropriate amounts?  I have tried changing the value, but I don't see any change in speed/performance.  But I also don't know if I need to reboot the firewalls after changing the MTU.  I know with Catalyst switches, you have to reload.  But I didn't see any messages about needing to reboot on the ASA's/PIX's.

View 10 Replies View Related

Cisco Firewall :: Allowing Multicast Traffic To Pass Through ASA5510

Mar 1, 2011

I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Block HTTPS Traffic In CSC Module?

Dec 15, 2011

I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
Below is a sanitized version of the config.

ASA Version 8.2(1)
hostname BOB


View 11 Replies View Related

Cisco Firewall :: ASA5510 SMTP Traffic - Host Unreachable

Jul 8, 2012

Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 12345 25.
Phase: 1
Result: ALLOW
Additional Information:
Found no matching flow, creating a new flow
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Redirect HTTP Traffic To Internal Proxy?

Feb 13, 2011

I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC ->  WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.

View 6 Replies View Related

Copyrights 2005-15, All rights reserved