AC-IS
asked on
Cisco ASA 5505 bandwidth only 1/3 usable.
Customer has a 15 down 2 up pipe. Can only get 5 mb down at best, and 1.5 up. The up seems to be marginal, but the download speeds are painful. Attached straight to cable modem get 15mb down. Through a netgear and linksys router get 15mb down. Tried changed link speed and duplex no change. Changed MTU size also . nogo Running config below. Not sure what it could be.
: Saved
:
ASA Version 7.2(4)
!
hostname
names
name 192.168.0.202
name 192.168.0.25
name 192.168.0.22
name 192.168.0.131
name 192.168.0.110
name 192.168.0.213
name 192.168.0.2
name 192.168.0.200
name 192.168.0.7
name 192.168.0.239
name 192.168.0.92
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet0/0
switchport access vlan 2
speed 100
!
interface Ethernet0/1
speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.7
domain-name
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq www
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3340
access-list outside_access_in extended permit gre any host x.x.x.x1
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq pptp
access-list outside_access_in extended permit gre any host interface
access-list outside_access_in extended permit gre any host x.x.x.x2
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq https
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 3391
access-list outside_access_in extended permit tcp any interface outside eq 3395
access-list outside_access_in extended permit tcp any interface outside eq 3394
access-list outside_access_in extended permit tcp any interface outside eq 3393
access-list outside_access_in extended permit tcp any interface outside eq 3392
access-list outside_access_in extended permit tcp any interface outside eq 3396
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 990
access-list inside_access_in extended permit ip any any
access-list acl_out extended permit tcp host 192.168.0.2 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.154 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.7 any eq smtp
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.202 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.0.202 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3340 192.168.0.220 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 pptp 192.168.0.7 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3395 name 3395 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 name 3391 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.227 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 name 3392 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 name 3393 netmask 255.255.255.255
static (inside,outside) tcp interface 3394 name 3394 netmask 255.255.255.255
static (inside,outside) tcp interface 3396 name 3396 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.201 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.145 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.238 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ftp
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:74eba19208d ba1bc6a5ad 577045a422 b
: end
asdm image disk0:/asdm-524.bin
asdm location x.x.x.x 255.255.255.255 inside
asdm location 192.168.0.7 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.2(4)
!
hostname
names
name 192.168.0.202
name 192.168.0.25
name 192.168.0.22
name 192.168.0.131
name 192.168.0.110
name 192.168.0.213
name 192.168.0.2
name 192.168.0.200
name 192.168.0.7
name 192.168.0.239
name 192.168.0.92
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet0/0
switchport access vlan 2
speed 100
!
interface Ethernet0/1
speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.7
domain-name
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq www
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3340
access-list outside_access_in extended permit gre any host x.x.x.x1
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq pptp
access-list outside_access_in extended permit gre any host interface
access-list outside_access_in extended permit gre any host x.x.x.x2
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq https
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 3391
access-list outside_access_in extended permit tcp any interface outside eq 3395
access-list outside_access_in extended permit tcp any interface outside eq 3394
access-list outside_access_in extended permit tcp any interface outside eq 3393
access-list outside_access_in extended permit tcp any interface outside eq 3392
access-list outside_access_in extended permit tcp any interface outside eq 3396
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 990
access-list inside_access_in extended permit ip any any
access-list acl_out extended permit tcp host 192.168.0.2 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.154 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.7 any eq smtp
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.202 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.0.202 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3340 192.168.0.220 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 pptp 192.168.0.7 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3395 name 3395 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 name 3391 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.227 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 name 3392 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 name 3393 netmask 255.255.255.255
static (inside,outside) tcp interface 3394 name 3394 netmask 255.255.255.255
static (inside,outside) tcp interface 3396 name 3396 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.201 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.145 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.238 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ftp
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:74eba19208d
: end
asdm image disk0:/asdm-524.bin
asdm location x.x.x.x 255.255.255.255 inside
asdm location 192.168.0.7 255.255.255.255 inside
no asdm history enable
Even though the ASA can act as a default route router, I would advise you put a true router in front of the firewall. The ASA is not intelligent to advanced routing function.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Negative. That was my first thought. I shut it down completely, and removed the config from ASA. Got the same results.
The best next step would be to test throughput through the ASA. Could you setup a host directly on the outside interface of the ASA such that its pingable on the outside interface. Setup FTP on this host, then try accessing the host from the inside. GET a large file and see what kind of through put you get.
If the ASA handles this correctly, then we need to look at some logs of the ASA as you connect outbound.
If the ASA handles this correctly, then we need to look at some logs of the ASA as you connect outbound.
Check for duplex mismatch. You have 'speed 100' hardcoded on int e0/0 and int e0/1. Are you SURE that both of the devices you're plugging the ASA into are hard-coded for 100mbit/full? If they are set to auto-negotiate then the negotiation will fail and one device will use half-duplex. Check the output of 'show int' for errors on e0/0, or e0/1. If you have errors, or either one says "half-duplex" then that's your problem.
I'd recommend removing the 'speed 100' setting and letting auto-negotiation work correctly. Or ensure that everything is hard coded correctly.
I'd recommend removing the 'speed 100' setting and letting auto-negotiation work correctly. Or ensure that everything is hard coded correctly.
ASKER
After looking at the connections, and adjusting the URL filter. I noticed the speed increase to it potential by allowing 15 connections in the URL filtering line. Contacted Mcafee support, and they suggested leaving it as such, and there engineers will explore work around. Short story it was not the router at all but the URL filter Thx tons ! MikeKane.