Configuring VPN Traffic Policing on an ASA

In this article we will show you how to set traffic policing on traffic which is tranversing a VPN.

Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to get the policy to work.

The destination flow statement will allow you to police on all outbound individual destination flows in the tunnel group rather then the tunnel group as a whole. Because of this we will match the traffic using an access-list and then police on the inbound and outbound traffic. This way it is not based on flows but based on the source and destination address of the access-list.
This also prevents you from having to create a class-map for each Site to Site Tunnel. Instead you only need to add the source and destination networks of each VPN to the inbound and outbound access-lists.

Example : In this example each flow matched to either the inbound or outbound access-list will be policed (limited) to 256k. The example presumes that the VPN, Group-Policy and Tunnel-Group has already been configured.

access-list outbound extended permit ip
access-list inbound extended permit ip

class-map inbound
match access-list inbound

class-map outbound
match access-list outbound

policy-map outside-police
class outbound
police output 256000

class inbound
police input 256000

service-policy outside-police interface outside
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial