Solved

Cisco - Internet Issues

Posted on 2009-05-09
16
928 Views
Last Modified: 2012-05-06
Hi,

I was after a bit of help / advice.

In my office we have got a pair of Cisco 5510 ASA's, then we have two branch offices, one with a Cisco 5510 ASA and one with a Cisco 5505 ASA.

Now all three offices are experiencing the same issues, so I am starting to think it could be a config issue.

HQ (Pair of ASA's) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only 1.4MB.

Branch 1 (5510) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only about 1.8MB.

Branch 2 (5505) has got an 8MB Down 768K Upload Service and gets 8Mb Down but only .3MB Upload.

Can anyone shed any light to so config that would be causing these issues?

Thanks very much in advance.

Paul
0
Comment
Question by:essexboy80
  • 9
  • 5
  • 2
16 Comments
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24344532
most likely it's either an overhead issue (where are you measuring the bandwidth from? a workstation on the network, the router itself?) or your ISP is not telling you something...
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24344636
Hi,

I have tested it from several machines, each on different segments of the network but experience exactly the same, also when I run a custom script that measures bandwidth between HQ and Branch A it also shows me poor results.

What do you suggest I look at?
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24344708
well, i'd say just connect a laptop directly to the net and go to speedtest.net. Who are the carriers? Theoretically if you have a 10MB/10MB internet circuit, considering overhead, even if you were running a complex IPSec VPN tunnel which exchanges keys constantly, you'd be getting the equivalent of 8MB/s. The numbers you gave are way below what can be considered standard overhead -- as long as you get those when you connect a laptop directly. if speedtest.net gives you 10mb each way, we'll look at other stuff such as the router performance etc.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24346525
Have a look at the dashboard on your ASA/ASDM and look at the top talkers and bandwidth utilization and see if you have anything suspicious. I've seen sites hacked and ending up having movie servers eating up all the upload bandwidth. Easy to spot if all your bandwidth is being used by 1 or 2 internal IP addresses.
If you have an older version of ASDM that does not give you the top talkers, it's a good excuse to upgrade to 8.x and ASDM 6.15
Is this an all-new service for all three sites? Has it ever performed as you expect?
Agree with DTAHARLEY above that your ISP may not be telling you something if they are limiting your upload speeds.
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24362845
Okay,

I have just carried out some tests with my laptop connected directly to the router.

I got 15MB Up and Down, so the issue lies within the Configuration internally.

What are the next things I can look at to get the fixed?

I have got 8.x and 6.15, but not 100% sure where I am looking to find the information you asked about.

Not a new service, but I have only recently taken over I.T. at the company so probably always been like this.

Thanks in advance.

Paul
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24363696
Open ASDM. Front page, Device Dashboard. Lower right quadrant is "outside" Interface Traffic Usage (Kbps) in graph form. This is a live 5 minute graph of input/output. Watch it for a few minutes and see how much bandwidth you are using overall.
On the Firewall Dashboard tab, lower right quadrant is a chart showing top talkers inbound and outbound. If it is not enabled, there will be a button to enable it. If it was not already enabled then you'll have to wait a couple hours or even till the next day to get meaningful data. You can see a pie chart of the last 1 hour, last 8 hours, last 24 hours. If you see any one host taking up the biggest slice of pie, then you start concentrating on that host. Attached is a picture of mine, showing one host taking up the vast majority of bandwidth. Note that in my case, this shows my PC as the culprit, but that's because I only have 4 computers on the network.

top10.jpg
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24363913
Hi,

The thing that is interested / concerning is that if I look at the Outside Internet Traffic Usage Chart it says :

Input Kbps : 631
Output Kbps : 687

So it is nowhere near maxing out.

So this could indicate the issue lies elsewhere, what does everyone think?
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24363951
I am now just testing FTP a file to the ISP Public FTP Server.

100MB File, takes about 25 Minutes to Upload

Output Kbps hit 1476
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Expert Comment

by:lrmoore
ID: 24364092
Do you use a proxy or url filtering service? You'd have to post the whole firewall config for me to see anything that might possibly be a problem.
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24364149
Can post the config, but will take me a while to edit the company specific details out.

We do use a Proxy, but I am testing this without the proxy.

0
 
LVL 1

Author Comment

by:essexboy80
ID: 24364217
Is there a specific part of the config you need to see, it is huge
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24364492
Here is the config :

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(4)
!
hostname asa5510-pri
domain-name company.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 192.168.0.0 LAN_Subnets
name 192.168.2200.0 BranchOffice1_LAN
name 192.168.210.0 Bloomberg_DMZ
name 192.168.220.0 Reuters_DMZ
name 192.168.230.0 DMZ
name 10.1.200.0 Telehouse
name 172.16.69.1 company01
name 172.16.69.2 company02
name 192.168.230.3 company03
name 172.16.69.7 company05
name 172.16.69.50 BliarsPC
name 172.16.69.81 BES
name 172.16.69.111 dc01
name 172.16.69.112 dc02
name 172.16.69.203 titan
name 172.16.69.209 freebsd01
name 172.16.69.225 TF-OASYS
name 172.16.69.229 server-om2
name 62.85.111.192 3rdParty11
name 210.17.177.16 3rdParty12
name 195.157.52.64 3rdParty13
name 192.168.230.4 Radianz-RT1
name 192.168.230.5 Radianz-HSRP
name 210.110.10.235 dc01-ext
name 193.109.254.0 ML1
name 195.245.230.0 ML2
name 195.216.0.0 ML3
name 212.125.64.0 ML4
name 62.231.128.0 ML5
name 62.173.108.0 ML6
name 85.158.136.0 ML7
name 194.106.220.0 ML8
name 194.205.110.128 ML9
name 212.125.74.44 ML10
name 212.125.75.0 ML11
name 216.82.240.0 ML12
name 112.187.165.245 Telehouse_Pix
name 210.110.10.232 WAN_Subnet
name 192.168.254.0 company_DR_LAN
name 172.16.69.234 company06
name 172.16.69.230 company-fm01
name 210.110.10.237 company-fm01-Ext
name 113.112.207.217 dc01-dr-ext
name 172.16.69.0 company_London_LAN
name 172.16.69.13 company-exch01
name 187.283.214.279 paul-pc-ext
name 192.168.2101.100 paul-pc-int
name 192.168.230.10 owa2007-int
name 172.16.69.11 company-pman01
name 187.283.214.282 company-pman01-ext
name 192.168.240.192 WiFi_Clients
name 192.168.110.0 Voice_LAN
name 192.168.120.0 Management_LAN
name 192.168.253.0 DR_Telco_LAN
name 172.16.69.6 company-ezeapp01
name 172.16.69.3 company-ezedb01
name 187.283.214.280 owa2007-ext
name 192.168.250.0 Voice_LAN_2
dns-guard
!
interface Ethernet0/0
 description LAN
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 172.16.69.254 255.255.252.0 standby 172.16.69.253
 ospf cost 10
!
interface Ethernet0/1
 description Easynet Internet Line
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 210.110.10.234 255.255.255.248 standby 210.110.10.236
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif backup
 security-level 0
 no ip address
 ospf cost 10
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3.10
 description Bloomberg DMZ
 vlan 10
 nameif bloomberg
 security-level 50
 ip address 192.168.210.1 255.255.255.248 standby 192.168.210.6
 ospf cost 10
!
interface Ethernet0/3.20
 description Reuters DMZ
 vlan 20
 nameif reuters
 security-level 50
 ip address 192.168.220.1 255.255.255.0 standby 192.168.220.6
 ospf cost 10
!
interface Ethernet0/3.30
 description DMZ
 vlan 30
 nameif dmz
 security-level 50
 ip address 192.168.230.1 255.255.255.0 standby 192.168.230.6
 ospf cost 10
!
interface Ethernet0/3.40
 vlan 40
 nameif wifi
 security-level 50
 ip address 192.168.240.1 255.255.255.0 standby 192.168.240.6
 ospf cost 10
!
interface Ethernet0/3.50
 shutdown
 vlan 50
 nameif fix
 security-level 50
 ip address 192.168.250.1 255.255.255.0
!
interface Management0/0
 description LAN Failover Interface
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name company.com
object-group network 3rdPary1
 description 3rdPary1 Networks
 network-object 3rdParty12 255.255.255.240
 network-object 3rdParty11 255.255.255.224
 network-object 3rdParty13 255.255.255.240
object-group network Bloomberg
 description Bloomberg Networks
 network-object 69.184.0.0 255.255.0.0
 network-object 199.105.176.0 255.255.255.0
 network-object 199.105.184.0 255.255.255.0
 network-object 205.183.246.0 255.255.255.0
 network-object 208.134.161.0 255.255.255.0
object-group network MessageLabs
 description MessageLabs Mail Servers
 network-object ML1 255.255.254.0
 network-object ML2 255.255.254.0
 network-object ML3 255.255.224.0
 network-object ML4 255.255.224.0
 network-object ML5 255.255.224.0
 network-object ML6 255.255.255.0
 network-object ML7 255.255.248.0
 network-object ML8 255.255.254.0
 network-object ML9 255.255.255.224
 network-object ML10 255.255.255.255
 network-object ML11 255.255.255.224
 network-object ML12 255.255.240.0
object-group network Radianz-Routers
 description Internal Radianz Routers
 network-object Radianz-RT1 255.255.255.255
 network-object 192.168.230.6 255.255.255.255
 network-object Radianz-HSRP 255.255.255.255
object-group network Radianz
 description Radianz Networks
 network-object 199.89.99.75 255.255.255.255
 network-object 199.89.110.75 255.255.255.255
 network-object 205.228.25.21 255.255.255.255
 network-object 155.195.0.0 255.255.0.0
object-group network Servers_Public
 description Server Public IP Addresses
 network-object host dc01-ext
 network-object host company-fm01-Ext
 network-object host company-pman01-ext
object-group network RadianzGRP
 network-object 205.167.31.193 255.255.255.255
 network-object 205.167.31.194 255.255.255.255
 network-object 205.167.31.195 255.255.255.255
 network-object 205.167.31.196 255.255.255.255
 network-object 205.167.31.197 255.255.255.255
 network-object 205.167.31.198 255.255.255.255
object-group network DM_INLINE_NETWORK_1
 network-object Voice_LAN 255.255.255.0
 network-object Management_LAN 255.255.255.0
 network-object DR_Telco_LAN 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_2
 network-object company_London_LAN 255.255.252.0
 network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object host dc01
 network-object host dc02
object-group network DM_INLINE_NETWORK_4
 network-object host dc01
 network-object host dc02
object-group service RDP tcp
 port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list outside_access_inside remark MessageLabs Inbound Mail
access-list outside_access_inside extended permit tcp object-group MessageLabs host 210.110.10.234 eq smtp
access-list outside_access_inside remark 3rdParty1 Remote Access
access-list outside_access_inside extended permit tcp object-group 3rdPary1 host company-pman01-ext eq 4899
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 echo-reply inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 source-quench inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 unreachable inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 time-exceeded inactive
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq https
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq www
access-list outside_access_inside extended permit tcp host 10.1.200.1 host company03 eq smtp
access-list outside_access_inside extended permit tcp host 10.1.200.1 any eq smtp
access-list outside_access_inside extended permit ip any host owa2007-ext
access-list inside_access_outbound extended permit ip any any log notifications inactive
access-list inside_access_outbound extended permit ip host company01 any inactive
access-list inside_access_outbound extended permit ip host company02 any inactive
access-list inside_access_outbound extended permit ip host company05 any inactive
access-list inside_access_outbound extended permit tcp host company06 any inactive
access-list inside_access_outbound extended permit ip host dc01 any inactive
access-list inside_access_outbound extended permit ip host dc02 any inactive
access-list inside_access_outbound extended permit ip host titan any inactive
access-list inside_access_outbound extended permit ip host server-om2 any inactive
access-list inside_access_outbound extended permit tcp host company-fm01 any inactive
access-list inside_access_outbound extended permit tcp host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit ip host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit tcp host TF-OASYS any eq smtp inactive
access-list inside_access_outbound extended permit tcp host freebsd01 any eq smtp inactive
access-list inside_access_outbound extended permit tcp host titan any eq smtp inactive
access-list inside_access_outbound extended permit tcp host BliarsPC any eq smtp inactive
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 155.195.0.0 255.255.0.0 eq www inactive
access-list inside_access_outbound extended permit ip company_London_LAN 255.255.252.0 any
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 object-group Radianz eq https inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 DMZ 255.255.255.0 echo-reply inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq smtp inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq pop3 inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq netbios-ssn inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-ns inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-dgm inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq 445 inactive
access-list inside_access_outbound extended permit ip host paul-pc-int any inactive
access-list bloomberg_outbound_nat0_acl extended permit ip Bloomberg_DMZ 255.255.255.0 object-group Bloomberg
access-list bloomberg_outbound_nat0_acl extended permit ip Bloomberg_DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list bloomberg_access_inside extended permit icmp any any
access-list reuters_access_inside remark Reuters Allowed
access-list reuters_access_inside extended permit icmp any any
access-list reuters_access_inside extended permit tcp any any
access-list reuters_access_inside extended permit udp any any
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 155.195.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 67.56.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 65.62.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 159.220.192.0 255.255.240.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.206.64.0 255.255.192.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.210.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 204.109.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 206.60.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 75.124.0.0 255.255.0.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 Telehouse 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 BranchOffice1_LAN 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list dmz_access_inside extended permit tcp host company03 host company05 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company06 eq smtp inactive
access-list dmz_access_inside extended permit icmp host company03 host company01 inactive
access-list dmz_access_inside extended permit icmp host company03 host company02 inactive
access-list dmz_access_inside extended permit udp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 135 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 50000 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq ldap inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 3268 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 389 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq 691 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq www inactive
access-list dmz_access_inside extended permit tcp host company03 host freebsd01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host BliarsPC eq smtp inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 Telehouse 255.255.255.0 eq smtp inactive
access-list dmz_access_inside extended permit icmp DMZ 255.255.255.0 Telehouse 255.255.255.0 inactive
access-list dmz_access_inside extended permit icmp any host 10.1.200.1 inactive
access-list dmz_access_inside extended permit tcp any any
access-list dmz_access_inside extended permit udp any any
access-list dmz_access_inside extended permit icmp any any
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 252.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 company_London_LAN 255.255.252.0 eq ssh inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq 691 inactive
access-list inside_oubbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Bloomberg
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.55pm
access-list inside_outbound_nat0_acl extended permit ip any 192.168.80.128 255.255.255.192 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Bloomberg_DMZ 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Reuters_DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Telehouse 255.255.255.0
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz-Routers inactive
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_outbound_nat0_acl extended permit ip any Telehouse 255.255.255.0 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.240.0 255.255.255.0 inactive
access-list Group_VPN_splitTunnelAcl_1 standard permit company_London_LAN 255.255.252.0
access-list Group_VPN_splitTunnelAcl extended permit ip company_London_LAN 255.255.252.0 any
access-list outside_1_cryptomap extended permit ip any Telehouse 255.255.255.0
access-list outside_2_cryptomap extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list backup_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list Group_VPN_splitTunnelAcl_2 standard permit company_London_LAN 255.255.252.0
access-list Eze_splitTunnelAcl standard permit host company-ezeapp01
access-list Eze_splitTunnelAcl standard permit host company-ezedb01
access-list CompanyX_Support_splitTunnelAcl standard permit host company-ezeapp01
access-list CompanyX_Support_splitTunnelAcl standard permit host company-ezedb01
access-list outside_1_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list Telco_Support_splitTunnelAcl standard permit Voice_LAN 255.255.255.0
access-list Telco_Support_splitTunnelAcl standard permit Management_LAN 255.255.255.0
access-list Telco_Support_splitTunnelAcl standard permit Voice_LAN_2 255.255.255.0
access-list outside_3_cryptomap extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list Group_VPN_splitTunnelAcl_3 standard permit company_London_LAN 255.255.252.0
access-list CompanyX_Support_splitTunnelAcl_1 standard permit host company-ezeapp01
access-list CompanyX_Support_splitTunnelAcl_1 standard permit host company-ezedb01
access-list Telco_Support_splitTunnelAcl_1 standard permit Voice_LAN 255.255.255.0
access-list Telco_Support_splitTunnelAcl_1 standard permit Voice_LAN_2 255.255.255.0
access-list Telco_Support_splitTunnelAcl_1 standard permit Management_LAN 255.255.255.0
access-list WiFi_VPN_splitTunnelAcl standard permit company_London_LAN 255.255.252.0
pager lines 40
logging enable
logging standby
logging buffered errors
logging trap warnings
logging asdm emergencies
logging queue 1000
logging device-id hostname
logging host inside dc02
mtu inside 1500
mtu outside 1404
mtu backup 1500
mtu bloomberg 1500
mtu reuters 1500
mtu dmz 1500
mtu wifi 1500
mtu fix 1500
ip local pool Group_VPN_RAS 192.168.2103.128-192.168.2103.159 mask 255.255.255.224
failover
failover lan unit primary
failover lan interface failover Management0/0
failover interface ip failover 192.168.1.1 255.255.255.248 standby 192.168.1.2
no monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Voice_LAN 255.255.255.0
nat (inside) 1 company_London_LAN 255.255.252.0
nat (backup) 0 access-list backup_nat0_outbound
nat (bloomberg) 0 access-list bloomberg_outbound_nat0_acl
nat (reuters) 0 access-list reuters_outbound_nat0_acl
nat (reuters) 1 Reuters_DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 DMZ 255.255.255.0
nat (wifi) 1 WiFi_Clients 255.255.255.240
static (dmz,outside) tcp interface smtp company03 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 25000 company05 25000 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 dc01 1200 netmask 255.255.255.255
static (inside,outside) dc01-ext dc01 netmask 255.255.255.255
static (inside,outside) company-fm01-Ext company-fm01 netmask 255.255.255.255
static (inside,outside) company-pman01-ext company-pman01 netmask 255.255.255.255
static (inside,dmz) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,reuters) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,bloomberg) company_London_LAN company_London_LAN netmask 255.255.252.0
static (dmz,outside) owa2007-ext owa2007-int netmask 255.255.255.255 dns
static (inside,outside) paul-pc-ext paul-pc-int netmask 255.255.255.255
access-group inside_access_outbound in interface inside
access-group outside_access_inside in interface outside
access-group bloomberg_access_inside in interface bloomberg
access-group reuters_access_inside in interface reuters
access-group dmz_access_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 210.110.10.233 1
route reuters 65.62.0.0 255.254.0.0 192.168.220.254 1
route reuters 67.56.0.0 255.254.0.0 192.168.220.254 1
route bloomberg 69.184.0.0 255.255.0.0 192.168.210.4 1
route reuters 75.124.0.0 255.255.0.0 192.168.220.254 1
route reuters 155.195.0.0 255.255.0.0 192.168.220.254 1
route reuters 159.220.192.0 255.255.240.0 192.168.220.254 1
route inside Voice_LAN 255.255.255.0 172.16.69.5 1
route inside Management_LAN 255.255.255.0 172.16.69.5 1
route inside Voice_LAN_2 255.255.255.0 172.16.69.5 1
route inside DR_Telco_LAN 255.255.255.0 172.16.69.5 1
route reuters 198.206.64.0 255.255.192.0 192.168.220.254 1
route reuters 198.210.128.0 255.255.128.0 192.168.220.254 1
route dmz 199.89.99.75 255.255.255.255 Radianz-HSRP 1
route dmz 199.89.110.75 255.255.255.255 Radianz-HSRP 1
route bloomberg 199.105.176.0 255.255.255.0 192.168.210.4 1
route bloomberg 199.105.184.0 255.255.255.0 192.168.210.4 1
route reuters 204.109.128.0 255.255.128.0 192.168.220.254 1
route dmz 205.167.31.193 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.194 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.195 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.196 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.197 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.198 255.255.255.255 Radianz-HSRP 1
route bloomberg 205.183.246.0 255.255.255.0 192.168.210.4 1
route dmz 205.228.25.21 255.255.255.255 Radianz-HSRP 1
route reuters 206.60.0.0 255.255.0.0 192.168.220.254 1
route bloomberg 208.134.161.0 255.255.255.0 192.168.210.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (inside) host dc01
 key companyam
aaa-server radius (inside) host dc02
 key companyam
 radius-common-pw companyam
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http company_London_LAN 255.255.252.0 inside
snmp-server host inside company05 poll community public
snmp-server location Mayfair
snmp-server contact Paul Sheath
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES

-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 70 set security-association lifetime seconds 28800
crypto map outside_map 70 set security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer Telehouse_Pix
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 112.130.120.150  
crypto map outside_map0 2 set transform-set ESP-3DES-MD5
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 113.112.207.216
crypto map outside_map0 3 set transform-set ESP-3DES-MD5
crypto map outside_map0 3 set security-association lifetime seconds 28800
crypto map outside_map0 3 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wifi_map interface wifi
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable wifi
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet Telehouse 255.255.255.0 inside
telnet company_London_LAN 255.255.252.0 inside
telnet Telehouse 255.255.255.0 outside
telnet timeout 5
ssh company_London_LAN 255.255.252.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.240.193-192.168.240.206 wifi
dhcpd dns 4.2.2.2 interface wifi
dhcpd lease 33600 interface wifi
dhcpd ping_timeout 100 interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
ntp server 128.102.16.2 source outside
group-policy Telco_Support internal
group-policy Telco_Support attributes
 wins-server value 172.16.69.111 172.16.69.112
 dns-server value 172.16.69.111 172.16.69.112
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Telco_Support_splitTunnelAcl_1
 default-domain value abc.company.com
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
group-policy Group_VPN internal
group-policy Group_VPN attributes
 wins-server value 172.16.69.111 172.16.69.112
 dns-server value 172.16.69.111 172.16.69.112
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Group_VPN_splitTunnelAcl_3
 default-domain value abc.company.com
 split-dns value abc.company.com company.com company.co.uk
group-policy WiFi_VPN internal
group-policy WiFi_VPN attributes
 wins-server value 172.16.69.111 172.16.69.112
 dns-server value 172.16.69.111 172.16.69.112
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value WiFi_VPN_splitTunnelAcl
 default-domain value abc.company.com
group-policy CompanyX_Support internal
group-policy CompanyX_Support attributes
 wins-server value 172.16.69.111 172.16.69.112
 dns-server value 172.16.69.111 172.16.69.112
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CompanyX_Support_splitTunnelAcl_1
 default-domain value abc.company.com
username user1 password xxxxxxxxxxx encrypted privilege 15
username user2 password xxxxxxxxxxx encrypted privilege 15
username user3 password xxxxxxxxxxx encrypted privilege 0
username user3 attributes
 vpn-group-policy Telco_Support
tunnel-group Group_VPN type remote-access
tunnel-group Group_VPN general-attributes
 address-pool Group_VPN_RAS
 authentication-server-group radius LOCAL
 default-group-policy Group_VPN
tunnel-group Group_VPN ipsec-attributes
 pre-shared-key *
tunnel-group 112.187.165.245 type ipsec-l2l
tunnel-group 112.187.165.245 ipsec-attributes
 pre-shared-key *
tunnel-group 112.130.120.150  type ipsec-l2l
tunnel-group 112.130.120.150  ipsec-attributes
 pre-shared-key *
tunnel-group 113.112.207.216 type ipsec-l2l
tunnel-group 113.112.207.216 ipsec-attributes
 pre-shared-key *
tunnel-group Telco_Support type remote-access
tunnel-group Telco_Support general-attributes
 address-pool Group_VPN_RAS
 default-group-policy Telco_Support
tunnel-group Telco_Support ipsec-attributes
 pre-shared-key *
tunnel-group CompanyX_Support type remote-access
tunnel-group CompanyX_Support general-attributes
 address-pool Group_VPN_RAS
 authentication-server-group radius
 default-group-policy CompanyX_Support
tunnel-group CompanyX_Support ipsec-attributes
 pre-shared-key *
tunnel-group WiFi_VPN type remote-access
tunnel-group WiFi_VPN general-attributes
 address-pool Group_VPN_RAS
 authentication-server-group radius
 default-group-policy WiFi_VPN
tunnel-group WiFi_VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7501a66081788b4dc4de6268dfb6d793
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24370455
Looks like all pretty standard stuff. Nothing jumps out at me.
What does the CPU utilization look like? This looks like a lot of processing requirement for the 5510. How many total users?
You  might consider upping the message-length max on the dns inspect policy from 512 to 640

Is there any difference in performance if the standby firewall is powered off completely?
Do you see any "mss exceeded" error messages in the logs?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24370462
>ASA Version 8.0(4)
lots of bug fixes in 8.0(4)28 interim release. You might try that..
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24372063
Hi,

I have had a look at the CPU Utilization and it sits fairly steady at 8%, so this looks to be fine.

We have 54 Users in total, so shouldn't be anything to hard for the unit to cope with.

I have changed the message-length as suggested, but that has not made any difference.

Will shortly try powering off the standby unit and see what happens.
0
 
LVL 1

Accepted Solution

by:
essexboy80 earned 0 total points
ID: 24393006
Hi All,

Issue is now resolved.

The issue was having ports configured as auto/auto on the switch and router.

Changed to 100/full and all is good now.

Thanks for all yoru help though.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now