{"id":349,"date":"2009-12-23T16:35:50","date_gmt":"2009-12-23T16:35:50","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2009\/12\/23\/configuring-vpn-traffic-policing-on-an-asa-821\/"},"modified":"2021-07-24T18:55:19","modified_gmt":"2021-07-24T18:55:19","slug":"configuring-vpn-traffic-policing-on-an-asa-821","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/configuring-vpn-traffic-policing-on-an-asa-821.html","title":{"rendered":"Configuring VPN Traffic Policing on an ASA"},"content":{"rendered":"
In this article we will show you how to set traffic policing on traffic which is tranversing a VPN.<\/p>\n
Please Note :<\/strong> The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to get the policy to work.<\/em><\/p>\n The destination flow statement will allow you to police on all outbound individual destination flows in the tunnel group rather then the tunnel group as a whole. Because of this we will match the traffic using an access-list and then police on the inbound and outbound traffic. This way it is not based on flows but based on the source and destination address of the access-list. Example :<\/strong> In this example each flow matched to either the inbound or outbound access-list will be policed (limited) to 256k. The example presumes that the VPN, Group-Policy and Tunnel-Group has already been configured.<\/em><\/p>\n In this article we will show you how to set traffic policing on traffic which is tranversing a VPN. Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\n
This also prevents you from having to create a class-map for each Site to Site Tunnel. Instead you only need to add the source and destination networks of each VPN to the inbound and outbound access-lists.<\/p>\naccess-list outbound extended permit ip 192.168.201.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inbound extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
class-map inbound
match access-list inbound
class-map outbound
match access-list outbound
policy-map outside-police
class outbound
police output 256000
class inbound
police input 256000
service-policy outside-police interface outside<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"