[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 544
  • Last Modified:

Bandwidth Throttling for Cisco VPN Clients Via Concentrator Config Bookmark:

Question: I am currently using a Cisco 3000 series VPN Concentrator attached to a 1.54 T1 (External). I have 35 clients of which I've already setup within the concentrator config but am suffering from a lack of available bandwidth; I work for the state of NY so getting another T1 is out of the question; I was thinking more along the lines of bandwidth throttling and allotting a set amount of bandwidth per the user. Not all the user log in at once but the system only allows 4 -5 users on at once. The application of which they are utilizing only required 100k of bandwidth. Can anyone help me with the configuration of said bandwidth throttling?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx
passwd xxxxxxxxxxx encrypted
hostname TempGate
domain-name easyng.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 newPaltzOffice
access-list inside_outbound_nat0_acl permit ip any xxx.xxx.xxx.xxx 255.255.255.12
8
access-list outside_cryptomap_dyn_20 permit ip any xxx.xxx.xxx.xxx 255.255.255.12
8
access-list EASY_splitTunnelAcl permit ip xxx.xxx.xxx.xxx 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNewPool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.0 255.255.254.0 inside
pdm location newTempOffice 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map client authentication LOCAL
crypto map outside_map_1 client authentication LOCAL
crypto map outside_map_2 client authentication LOCAL
crypto map outside_map_3 client authentication LOCAL
crypto map outside_map_4 client authentication LOCAL
crypto map outside_map_5 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_5 client authentication LOCAL
crypto map outside_map_5 interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp keepalive 360
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup EASY address-pool VPNewPool
vpngroup EASY split-tunnel TEMP_splitTunnelAcl
vpngroup EASY idle-time 1800
vpngroup EASY device-pass-through
vpngroup EASY password ********
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet xxx.xxx.xxx.xxx 255.255.254.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username 0 password .s7bwdBQgkrXeuhj encrypted privilege 0
username 0 password nr5maX1ppGR0pO7C encrypted privilege 0
username 0 password zt494fNN2sKBqKeF encrypted privilege 0
username 0 password MMsFgltAJ6zPP.KU encrypted privilege 0
username 0 password .s7bwdBQgkrXeuhj encrypted privilege 0
username 0 password .s7bwdBQgkrXeuhj encrypted privilege 0
username 0 password qSkMtbMvE.8XB/rg encrypted privilege 0
username 0 password M68hmc992lLRzEEP encrypted privilege 0
username 0 password CfZZKhK0x.Fz25PO encrypted privilege 0
username 0 password 3hUCyZnny4zkQwRC encrypted privilege 0
username 0 password Zm5ZiAANpo/qzQgx encrypted privilege 0
username 0 password QwmwSliF3j.0GTnQ encrypted privilege 0
username 0 password oojCw4CEo28RDUCf encrypted privilege 0
username 0 password S0asrPV.4cBKUx8b encrypted privilege 0
username 0 password txM.GjptGJNznAGL encrypted privilege 0
username 0 password .YUTjqYEZpnWukgn encrypted privilege 0
username 0 password gO41j2hEce10nUz6 encrypted privilege 0
username 0 password YWXoJXFmoyV82JEQ encrypted privilege 0
username 0 password w1lQMfh959qX6fsP encrypted privilege 0
username 0 password yJsgZA5wmkbtw2jz encrypted privilege 0
username 0 password Qw4Gt1Zv9GzHWly. encrypted privilege 0
username 0 password 5b41R7NWy0627icV encrypted privilege 0
username 0 password BiOB9kS7Bf12hlsx encrypted privilege 0
username 0 password ebMb6oPHxrwjlCBe encrypted privilege 0
username 0 password r9iJD4/LhNT7vvZn encrypted privilege 0
username 0 password blSTcThaIjemvD8Q encrypted privilege 0
username 0 password F.LDGvqdP/SDSG8B encrypted privilege 0
username 0 password 5OxG1c3KtLGm4ygP encrypted privilege 0
username 0 password Ai/HvSXE5zzLVZgY encrypted privilege 0
username 0 password ntzAFB77VtK5vc9D encrypted privilege 0
username 0 password cvCcsvSZU1wZdBtI encrypted privilege 0
username 0 password ix3HRDX7YYN35Bp6 encrypted privilege 0
username 0 password hdrqvWRJ6XT22HDH encrypted privilege 0
username 0 password t3v.WxV4dWOK2SW/ encrypted privilege 0
username 0 password dl4ZsowI9/yhmz0M encrypted privilege 0
username b password xxxxxxxxxxxxxxxx encrypted privilege 15
username o password xxxxxxxxxxxxxxxx encrypted privilege 15
username b password xxxxxxxxxxxxxxxx encrypted privilege 15
username n password nekLIZ7TJgDUWqKI encrypted privilege 0
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
vpnclient server xxx.xxx.xxx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup TEMP password ********
terminal width 80
Cryptochecksum:6eb0ea0fcc57381dd61ebb99b6e50db7
: end
0
TheLank
Asked:
TheLank
1 Solution
 
rsivanandanCommented:
Is it concentrator or PIX ? The config above is from PIX. I don't believe you can do that using PIX firewall. When it comes to quality of service, PIX is not really the box even for normal firewall operations, so through a vpn tunnel is highly impossible.

Cheers,
Rajesh
0
 
lrmooreCommented:
>PIX Version 6.3(5)

This is a PIX FW and not a concentrator. As such, there is zero capability to do any type of bandwidth control for VPN clients.

Split-tunneling is your best bet to fix the bandwidth issue
>vpngroup EASY split-tunnel TEMP_splitTunnelAcl
You only have this defined, which does not match your vpngroup command, and the 'any' is killing you.
>access-list EASY_splitTunnelAcl permit ip xxx.xxx.xxx.xxx 255.255.255.0 any

Suggest:
access-list EASY_splitTunnelAcl permit ip <local lan subnet> 255.255.255.0 <vpn pool subnet> 255.255.255.128
vpngroup EASY split-tunnel EASY_splitTunnelAcl

Since you masked all of your IP's, I can't see any uniqueness, but you need to have the IP address POOL used by VPN clients to be from a different IP subnet than your local LAN, and not use "any" in any of your VPN acls.


0
 
Jim_CoyneCommented:
lrmoore is on the money
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now