Cisco ASA 5505 bandwidth only 1/3 usable.

Customer has a 15 down 2 up pipe. Can only get 5 mb down at best, and 1.5 up. The up seems to be marginal, but the download speeds are painful. Attached straight to cable modem get 15mb down. Through a netgear and linksys router get 15mb down. Tried changed link speed and duplex no change. Changed MTU size also . nogo Running config below. Not sure what it could be.

: Saved
:
ASA Version 7.2(4)
!
hostname
names
name 192.168.0.202
name 192.168.0.25
name 192.168.0.22
name 192.168.0.131
name 192.168.0.110
name 192.168.0.213
name 192.168.0.2
name 192.168.0.200
name 192.168.0.7
name 192.168.0.239
name 192.168.0.92
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.x
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
!
interface Ethernet0/1
 speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.7
 domain-name
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq www
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3340
access-list outside_access_in extended permit gre any host x.x.x.x1
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq pptp
access-list outside_access_in extended permit gre any host interface
access-list outside_access_in extended permit gre any host x.x.x.x2
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq https
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 3391
access-list outside_access_in extended permit tcp any interface outside eq 3395
access-list outside_access_in extended permit tcp any interface outside eq 3394
access-list outside_access_in extended permit tcp any interface outside eq 3393
access-list outside_access_in extended permit tcp any interface outside eq 3392
access-list outside_access_in extended permit tcp any interface outside eq 3396
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 990
access-list inside_access_in extended permit ip any any
access-list acl_out extended permit tcp host 192.168.0.2 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.154 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.7 any eq smtp
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.202 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.0.202 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3340 192.168.0.220 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 pptp 192.168.0.7 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3395 name 3395 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 name 3391 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.227 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 name 3392 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 name 3393 netmask 255.255.255.255
static (inside,outside) tcp interface 3394 name 3394 netmask 255.255.255.255
static (inside,outside) tcp interface 3396 name 3396 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.201 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.145 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.238 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:74eba19208dba1bc6a5ad577045a422b
: end
asdm image disk0:/asdm-524.bin
asdm location x.x.x.x 255.255.255.255 inside
asdm location 192.168.0.7 255.255.255.255 inside
no asdm history enable

AC-ISAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChopperCenturyCommented:
Even though the ASA can act as a default route router, I would advise you put a true router in front of the firewall. The ASA is not intelligent to advanced routing function.
0
MikeKaneCommented:
Any ASA should be able to handle this amount of throughput.    Even the base 5505 can do 150 Mbps.  

So I would look at this:
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5

Seems that you have a webfilter setup to block/scan outbound http.     If you disable this filter, do you see better throughput?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AC-ISAuthor Commented:
Negative. That was my first thought. I shut it down completely, and removed the config from ASA. Got the same results.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MikeKaneCommented:
The best next step would be to test throughput through the ASA.   Could you setup a host directly on the outside interface of the ASA such that its pingable on the outside interface.    Setup FTP on this host, then try accessing the host from the inside.   GET a large file and see what kind of through put you get.  

If the ASA handles this correctly, then we need to look at some logs of the ASA as you connect outbound.
0
gavvingCommented:
Check for duplex mismatch.  You have 'speed 100' hardcoded on int e0/0 and int e0/1.  Are you SURE that both of the devices you're plugging the ASA into are hard-coded for 100mbit/full?  If they are set to auto-negotiate then the negotiation will fail and one device will use half-duplex.  Check the output of 'show int' for errors on e0/0, or e0/1.  If you have errors, or either one says "half-duplex" then that's your problem.

I'd recommend removing the 'speed 100' setting and letting auto-negotiation work correctly.  Or ensure that everything is hard coded correctly.
0
AC-ISAuthor Commented:
After looking at the connections, and adjusting the URL filter. I noticed the speed increase to it potential by allowing 15 connections in the URL filtering line. Contacted Mcafee support, and they suggested leaving it as such, and there engineers will explore work around. Short story it was not the router at all but the URL filter Thx tons ! MikeKane.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.