You hit one out of the park sir!!!

-Vinay

Do I have to create a nat from this subnet to an outside IP and apply this config to the outside IP ?
If I use the exissting IP I go out with, all the network would be affected, correct !?

Brad :
Hi David -
This is a good article and a good start. However, it’s important to point out that what most people are looking for here is an inbound or ingress rate limiting policy.
Unless you have strict control over both sides of the link (i.e. the ISP) you can never truly achieve the desired goal of rate-limiting certain users or types of traffic.
Aside from the details of trying to control which users or type of traffic is being rate-limited the single largest problem is that the upstream device may be capable of sending data at a rate faster than you would like. Your best case scenario in the configuration listed is to simply drop the packets if they exceed the bandwidth or burst rate specified. These are dropped upon ingress and it does not actually prevent that bandwidth from being utilized.
For TCP or other flow-based traffic types behavior will have some impact due to the nature of the TCP stream requiring an ACK and window-size management. If the ACKs are dropped the window sizes will eventually decrease and the rate will slow down, but TCP will also try to increase the rate again.
To achieve this goal, a device that truly manipulates the TCP headers would be desirable as the implementation of ingress-policing on the ASA is more of an interim solution.
For strict UDP or non-session oriented types of traffic these policies will have no effect on ingress traffic bandwidth other than to slow down traffic that has already reached the ASA (in other words, a moot point). This can be demonstrated in a lab setup in which you simply have to ping-flood the ASA to cause a DoS.

You are 100% correct and this point seems to be missed by most people in this thread.

I see something above like my problem but not the same.

1 pc (outside or trought internet) communicate to 1 another(inside network,behind asa)
but the all other participant of the inside network use all of the bandwith of internet connection.
my goal is to guarantee a minimum bandwidth or all of the remaining to the pc’s if the other participant of the network dont use the internet.

Which qos method can enable this for me? or can i reach this?

Thanks!

First of all thanks for sharing this very informative article, I am new with Cisco ASA. I have a question to you. I have 10MB Internet connection in my office, I have 2 Cisco ASA 5510 one is in my office and another one in my data center whcih I have much bigger bandwidth. I have a VPN connection between the our office and the data center, I want to give much higher priority to the VPN traffic because if one of my office user download huge file from the internet it affects the application connecting to my data center via the VPN what is the best way to accomplish this??

Thanks