Cisco ASA 5505 QoS RDP over L2L-VPN

Hello Experts!

I have some experience with the Cisco ASA5505 but I have a hard time getting the concept of QoS on the ASAs.

I wonder if anyone could help me with a configuration example of how to prioritize RDP traffic over L2L-VPN tunnel, preferably with some simple explanation. I want to proritize RDP through VPN over ALL OTHER traffic.

Please feel free to ask if I'm unclear.

Thanks.
hyemarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kellemannCommented:
Here is an example to get you going. There is no configuration to handle VPN specifically. I just use the subnet on the other end of the VPN tunnel as the destination in order to ignore all other RDP traffic.

172.16.0.0/16 is the remote VPN.
Interesting traffic is defined in the access-list. Note that we use the RDP port as the source instead the destination. We can only prioritize traffic in the outbound direction, not inbound.
We match the access-list in a class-map and use the "priority" keyword to put the traffic in the priority queue. Finally we attach the policy to the outside interface.
There are tons of other ways to tune the traffic, so consider this a quick and dirty example:

access-list RDP-traffic extended permit tcp any eq 3389 172.16.0.0 255.255.0.0

priority-queue outside
 exit

class-map CM-RDP
 match access-list RDP-traffic
 exit

policy-map PM-RDP-traffic
 class CM-RDP
  priority
  exit
 exit

service-policy PM-RDP-traffic interface outside
end

Verify with "show service-policy interface outside priority"
0
hyemarAuthor Commented:
Thank you for your reply!

I'd like to give som more info on our setup:

This is a "split-VPN" setup where only interesting traffic goes through VPN, not all traffic. Traffic that is destined for internet is not tunneled through VPN. Just for your info.

Is there any other way of doing this that you recommend?

Thanks again.
0
kellemannCommented:
You stated that only RDP over VPN should be prioritized. In my example 172.16.0.0/16 is used to define the interesting traffic. Therefore you only need to change 172.16.0.0 to whatever subnet is on the other end of your VPN. Any other RDP will be bypassed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

hyemarAuthor Commented:
Thanks, I will test this as soon as I can.
0
hyemarAuthor Commented:
Sorry for the late response. :-)

I've probably not been 100% clear in my question.

We need that the QoS being set at the client-side ASA, not the server-side ASA.

Will your example be applicable in this scenario?
0
kellemannCommented:
It is almost the same. Only difference is the port, which will be the destination instead of the source.

access-list RDP-traffic extended permit tcp any 172.16.0.0 255.255.0.0 x.x.x.x y.y.y.y eq 3389

where x and y are the subnet and mask for the terminalserver.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.