Thanks

Do you have any Cisco docs for that refers your explanation? Wondering why
would ASA allow. Validation checks in ASA are better implemented than IOS.


With regards
Kings

On Thu, Nov 10, 2011 at 3:46 AM, Venkat Ragothaman
<[email protected]>wrote:

> When you want to police the encrypted traffic, you match on tunnel-group
> and do a 'police output'.
>
> To police the decrypted VPN traffic, matching based on tunnel-group will
> not work because of the way flows are created before/after decryption. As
> an encrypted packet gets terminated at a tunnel, a flow is created based on
> tunnel header. The packet is decrypted, a new flow is created based on the
> new IP header and re-injected into appropriate forwarding interface. So,
> matching based on inner IP header info like dcsp, IP address etc and
> 'police input' should do for decrypted traffic.
>
> Thanks.
>
>
>> Message: 2
>> Date: Wed, 9 Nov 2011 09:38:16 -0600
>> From: "Manire, Matt" <[email protected]>
>> To: "Kingsley Charles" <[email protected]>,
>>        <[email protected]>
>> Subject: Re: [OSL | CCIE_Security] Policing traffic coming out from
>>        tunnel  afterdecryption
>> Message-ID:
>>        <[email protected]>
>> Content-Type: text/plain; charset="us-ascii"
>>
>>
>> Kings,
>>
>>
>>
>> I thought you could only police traffic outbound.  Does it work if you
>> change the police action from an input to an output as such:
>>
>>
>>
>> class-map vpn
>>  match tunnel-group 10.20.30.40
>>
>> policy-map vpn
>>  class vpn
>>  police output 9000
>>
>> service-policy vpn interface outside
>>
>>
>>
>> Matt Manire
>> CCSP, CCNP, CCDP, MCSE 2003 & MCSE 2000
>> Information Systems Security Manager
>> [email protected] <mailto:[email protected]>
>>
>> t: 817.525.1863
>> f: 817.525.1903
>> m: 817.271.9165
>>
>> First Rate | 1903 Ascension Boulevard | Arlington, TX 76006|
>> www.FirstRate.com <http://www.firstrate.com/>
>>
>>
>>
>>
>>
>>
>> From: [email protected]
>> [mailto:[email protected]] On Behalf Of Kingsley
>> Charles
>> Sent: Wednesday, November 09, 2011 12:08 AM
>> To: [email protected]
>> Subject: [OSL | CCIE_Security] Policing traffic coming out from tunnel
>> afterdecryption
>>
>>
>>
>> Hi all
>>
>> I am trying to police packets coming out of the tunnel after decryption
>> using the following config but doesn't work. Has anyone tried?
>>
>> class-map vpn
>>  match tunnel-group 10.20.30.40
>>
>> policy-map vpn
>>  class vpn
>>  police input 9000
>>
>> service-policy vpn interface outside
>>
>>
>> asa1# sh service-policy interface outside
>>
>> Interface outside:
>>  Service-policy: vpn
>>    Class-map: vpn
>>      Input police Interface outside:
>>        cir 9000 bps, bc 1500 bytes
>>        conformed 0 packets, 0 bytes; actions:  transmit
>>        exceeded 0 packets, 0 bytes; actions:  drop
>>        conformed 0 bps, exceed 0 bps
>>
>>
>>
>> Policing packets going into the tunnel for encryption works.
>>
>> class-map vpn
>>  match tunnel-group 10.20.30.40
>>  match flow ip destination-address
>>
>> policy-map vpn
>>  class vpn
>>  police output 9000
>>
>> service-policy vpn interface outside
>>
>>
>> With regards
>> Kings
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to