Solved

What do I need to change in my firewall configuration to enable faster upload of a website?

Posted on 2007-12-05
13
773 Views
Last Modified: 2008-02-01
For some reason it's taking forever to upload the Westlaw.com website from our workstations. Other websites opens up pretty fast except this one. I believe it has something to do with the firewall.
Here's my pix firewall config. Please let me know what's causing and detailed way to modify. Thanks!

firewall> en
Password: xxxxxxx
firewall# sh run
: Saved
:
ASA Version 7.0(4)12
!
hostname firewall
enable password xxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
 nameif Dmz
 security-level 50
 ip address x.x.x.x 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
object-group network BOGONS
 network-object 0.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.x.0.0 255.255.0.0
 network-object x.x.0.0 255.255.0.0
 network-object x.0.0.0 255.0.0.0
 network-object x.0.0.0 255.0.0.0
object-group icmp-type SAFE-ICMP
 icmp-object echo-reply
 icmp-object parameter-problem
 icmp-object time-exceeded
 icmp-object unreachable
access-list split standard permit x.x.x.0 255.255.255.0
access-list exceedMSS extended permit ip any any
access-list acl-outside extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-outside extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-outside extended permit icmp any any
access-list acl-outside extended deny ip object-group BOGONS any
access-list acl-outside extended permit icmp any any object-group SAFE-ICMP
access-list acl-outside remark SHARE TEST
access-list acl-outside extended permit tcp any host x.x.x.x eq ssh
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq smtp
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended permit tcp any host x.x.x.x eq smtp
access-list acl-outside extended permit tcp any host x.x.x.x eq 3001
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended permit tcp any host x.x.x.x eq www
access-list acl-outside extended permit tcp any host x.x.x.x eq https
access-list acl-outside extended deny ip any any
access-list nonat extended permit ip x.x.x.0 255.255.255.0 any
access-list acl-inside extended permit ip x.x.x.0 255.255.255.0 any
access-list dmztoinside extended permit tcp host x.x.x.x host x.x.x.x e
q xxxx
access-list dmztoinside extended permit ip host x.x.x.x host x.x.x.x
access-list dmztoinside extended deny ip x.x.x.0 255.255.255.0 x.x.x.0 2
55.255.255.0
access-list dmztoinside extended deny ip x.x.x.0 255.255.255.0 x.x.x.0 255
.255.255.0
access-list dmztoinside extended permit ip x.x.x.0 255.255.255.0 any
access-list dmztoinside extended permit ip host x.x.x.x host x.x.x.x
access-list dmztoinside extended permit tcp host x.x.x.x host x.x.x.x e
q xxxx
pager lines 24
logging enable
logging buffer-size 250000
logging buffered debugging
logging trap informational
logging asdm informational
logging host Inside x.x.x.x
no logging message 106015
no logging message 604103
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 710005
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu Dmz 1500
ip local pool vpnpool x.x.x.x-x.x.x.x mask 255.255.255.0
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
access-group acl-outside in interface Outside
access-group dmztoinside in interface Dmz
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside x.x.x.0 255.255.255.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NTAuth protocol nt
aaa-server NTAuth host x.x.x.x
 nt-auth-domain-controller xxxxxx
group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server value x.x.x.x
 dns-server value x.x.x.x
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value xxxxxx
 webvpn
username xxxx password xxxxxxxxxx encrypted privilege 15
http server enable
http x.x.x.x 255.255.255.255 Inside
http x.x.x.x 255.255.255.0 management
snmp-server location xxxxxxx
snmp-server contact xxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1000 set transform-set myset
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group xxxxxx type ipsec-ra
tunnel-group xxxxxx general-attributes
 address-pool vpnpool
 authentication-server-group NTAuth
 default-group-policy clientgroup
tunnel-group nmajo ipsec-attributes
 pre-shared-key *
telnet x.x.0.0 255.255.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh x.x.0.0 255.255.0.0 Inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map MSS
 match access-list exceedMSS
class-map all-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 1512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class MSS
!
service-policy global_policy global
ntp server x.x.x.x source Outside prefer
tftp-server Inside x.x.x.x PIX
Cryptochecksum:91397255b84d9cd1666038134810a1bb
: end
firewall#
0
Comment
Question by:philomic
13 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
Comment Utility
First thing, upgrade your ASA code!  Not only are you using an old version, it's an interim release and not considered in general deployment.  Upgrade your code to 7.2(3) and see if that helps...of course, you will need a Cisco.com user account to download the upgrade.
0
 
LVL 16

Expert Comment

by:2PiFL
Comment Utility
If all other sites work fine then I would suspect the problem is with the slow website.

batry_boy is right - I would take his advice.
0
 

Author Comment

by:philomic
Comment Utility
According to users from our other site (other geographical location), the upload is fine....it's hard for me to test it cuz it's a privilege access to the site. I downloaded the ASA code 7.2(3). When I upgrade from 7.0, will it retain the current configuration or totally start from defaults? Please help.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, it will retain your configuration through the upgrade.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Make sure you save the config (write mem) before reloading!
0
 

Author Comment

by:philomic
Comment Utility
Just got back from leave and haven't updated the ASA code on our PIX Firewall. I have several procedures that I can follow but not sure which one to use (I haven't updated before, it's always been from fresh install). Do you have a procedure (that works and is safe since I cannot test it from other device) that I can follow? Please let me know. Thanks!
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, here is a walkthrough for the upgrade...

http://www.petenetlive.com/Tech/Firewalls/Cisco/updateasacli.htm

I borrowed this link from another EE member...thanks go to PeteLong for the info!
0
 

Author Comment

by:philomic
Comment Utility
I'm almost done but I get this message whenever I tell the new ASA to use the new ASDM image.

"Device Manager image set, but not a valid image file disk0:/asdm-523.bin"
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
As long as you have upgraded to 7.2(3) for the ASA code, and you have the ASDM image file on the ASA, you can ignore that...I've seen that before.  Just save your config ("wr mem") and reload.  It should come up OK.
0
 

Author Comment

by:philomic
Comment Utility
Okay got it....

ASA Version 7.2(3)
!
hostname *******
domain-name *******
enable password Ad4jY82tgV53j0Pn encrypted
names
dns-guard


Thanks for your help!
0
 

Author Comment

by:philomic
Comment Utility
Additional question: I uploaded the asa723-k8.bin and asdm-523.bin....I know I can delete asa704-k8.bin but how about the old asdm? Which ASDM is being used now, the old or new ASDM? I know I told the ASA (7.2(3)) to use ASDM-523 but not sure if it took it. Is there a way to verify it?
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, issue the "show ver" command.  At the top of the output it will tell you which "Device Manager Version" you are using...
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now