Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 789
  • Last Modified:

What do I need to change in my firewall configuration to enable faster upload of a website?

For some reason it's taking forever to upload the Westlaw.com website from our workstations. Other websites opens up pretty fast except this one. I believe it has something to do with the firewall.
Here's my pix firewall config. Please let me know what's causing and detailed way to modify. Thanks!

firewall> en
Password: xxxxxxx
firewall# sh run
: Saved
:
ASA Version 7.0(4)12
!
hostname firewall
enable password xxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
 nameif Dmz
 security-level 50
 ip address x.x.x.x 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
object-group network BOGONS
 network-object 0.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.x.0.0 255.255.0.0
 network-object x.x.0.0 255.255.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
object-group icmp-type SAFE-ICMP
 icmp-object echo-reply
 icmp-object parameter-problem
 icmp-object time-exceeded
 icmp-object unreachable
access-list split standard permit x.x.x.0 255.255.255.0
access-list exceedMSS extended permit ip any any
access-list acl-outside extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-outside extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-outside extended permit icmp any any
access-list acl-outside extended deny ip object-group BOGONS any
access-list acl-outside extended permit icmp any any object-group SAFE-ICMP
access-list acl-outside remark SHARE TEST
access-list acl-outside extended permit tcp any host x.x.x.x eq ssh
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq smtp
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended permit tcp any host x.x.x.x eq smtp
access-list acl-outside extended permit tcp any host x.x.x.x eq 3001
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended deny ip any any
access-list nonat extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-inside extended permit ip x.x.x.0 255.255.255.0 any
access-list dmztoinside extended permit tcp host x.x.x.x host x.x.x.x e
q xxxx
access-list dmztoinside extended permit ip host x.x.x.x host x.x.x.x
access-list dmztoinside extended deny ip x.x.x.0 255.255.255.0 x.x.x.0 2
55.255.255.0
access-list dmztoinside extended deny ip x.x.x.0 255.255.255.0 x.x.x.0 255
.255.255.0
access-list dmztoinside extended permit ip x.x.x.0 255.255.255.0 any
access-list dmztoinside extended permit ip host x.x.x.x host x.x.x.x
access-list dmztoinside extended permit tcp host x.x.x.x host x.x.x.x e
q xxxx
pager lines 24
logging enable
logging buffer-size 250000
logging buffered debugging
logging trap informational
logging asdm informational
logging host Inside x.x.x.x
no logging message 106015
no logging message 604103
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 710005
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu Dmz 1500
ip local pool vpnpool x.x.x.x-x.x.x.x mask 255.255.255.0
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
access-group acl-outside in interface Outside
access-group dmztoinside in interface Dmz
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside x.x.x.0 255.255.255.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NTAuth protocol nt
aaa-server NTAuth host x.x.x.x
 nt-auth-domain-controller xxxxxx
group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server value x.x.x.x
 dns-server value x.x.x.x
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value xxxxxx
 webvpn
username xxxx password xxxxxxxxxx encrypted privilege 15
http server enable
http x.x.x.x 255.255.255.255 Inside
http x.x.x.x 255.255.255.0 management
snmp-server location xxxxxxx
snmp-server contact xxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1000 set transform-set myset
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group xxxxxx type ipsec-ra
tunnel-group xxxxxx general-attributes
 address-pool vpnpool
 authentication-server-group NTAuth
 default-group-policy clientgroup
tunnel-group nmajo ipsec-attributes
 pre-shared-key *
telnet x.x.0.0 255.255.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh x.x.0.0 255.255.0.0 Inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map MSS
 match access-list exceedMSS
class-map all-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 1512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class MSS
!
service-policy global_policy global
ntp server x.x.x.x source Outside prefer
tftp-server Inside x.x.x.x PIX
Cryptochecksum:91397255b84d9cd1666038134810a1bb
: end
firewall#
0
philomic
Asked:
philomic
1 Solution
 
batry_boyCommented:
First thing, upgrade your ASA code!  Not only are you using an old version, it's an interim release and not considered in general deployment.  Upgrade your code to 7.2(3) and see if that helps...of course, you will need a Cisco.com user account to download the upgrade.
0
 
2PiFLCommented:
If all other sites work fine then I would suspect the problem is with the slow website.

batry_boy is right - I would take his advice.
0
 
philomicAuthor Commented:
According to users from our other site (other geographical location), the upload is fine....it's hard for me to test it cuz it's a privilege access to the site. I downloaded the ASA code 7.2(3). When I upgrade from 7.0, will it retain the current configuration or totally start from defaults? Please help.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
batry_boyCommented:
Yes, it will retain your configuration through the upgrade.
0
 
batry_boyCommented:
Make sure you save the config (write mem) before reloading!
0
 
philomicAuthor Commented:
Just got back from leave and haven't updated the ASA code on our PIX Firewall. I have several procedures that I can follow but not sure which one to use (I haven't updated before, it's always been from fresh install). Do you have a procedure (that works and is safe since I cannot test it from other device) that I can follow? Please let me know. Thanks!
0
 
batry_boyCommented:
Yes, here is a walkthrough for the upgrade...

http://www.petenetlive.com/Tech/Firewalls/Cisco/updateasacli.htm

I borrowed this link from another EE member...thanks go to PeteLong for the info!
0
 
philomicAuthor Commented:
I'm almost done but I get this message whenever I tell the new ASA to use the new ASDM image.

"Device Manager image set, but not a valid image file disk0:/asdm-523.bin"
0
 
batry_boyCommented:
As long as you have upgraded to 7.2(3) for the ASA code, and you have the ASDM image file on the ASA, you can ignore that...I've seen that before.  Just save your config ("wr mem") and reload.  It should come up OK.
0
 
philomicAuthor Commented:
Okay got it....

ASA Version 7.2(3)
!
hostname *******
domain-name *******
enable password Ad4jY82tgV53j0Pn encrypted
names
dns-guard


Thanks for your help!
0
 
philomicAuthor Commented:
Additional question: I uploaded the asa723-k8.bin and asdm-523.bin....I know I can delete asa704-k8.bin but how about the old asdm? Which ASDM is being used now, the old or new ASDM? I know I told the ASA (7.2(3)) to use ASDM-523 but not sure if it took it. Is there a way to verify it?
0
 
batry_boyCommented:
Yes, issue the "show ver" command.  At the top of the output it will tell you which "Device Manager Version" you are using...
0
 
Pete LongConsultantCommented:
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now