Cisco ASA 5505 bandwidth only 1/3 usable.

Customer has a 15 down 2 up pipe. Can only get 5 mb down at best, and 1.5 up. The up seems to be marginal, but the download speeds are painful. Attached straight to cable modem get 15mb down. Through a netgear and linksys router get 15mb down. Tried changed link speed and duplex no change. Changed MTU size also . nogo Running config below. Not sure what it could be.

: Saved
:
ASA Version 7.2(4)
!
hostname
names
name 192.168.0.202
name 192.168.0.25
name 192.168.0.22
name 192.168.0.131
name 192.168.0.110
name 192.168.0.213
name 192.168.0.2
name 192.168.0.200
name 192.168.0.7
name 192.168.0.239
name 192.168.0.92
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.x
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
!
interface Ethernet0/1
 speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.7
 domain-name
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq www
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq 3340
access-list outside_access_in extended permit gre any host x.x.x.x1
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.x1 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq pptp
access-list outside_access_in extended permit gre any host interface
access-list outside_access_in extended permit gre any host x.x.x.x2
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq https
access-list outside_access_in extended permit tcp any host x.x.x.x2 eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 3391
access-list outside_access_in extended permit tcp any interface outside eq 3395
access-list outside_access_in extended permit tcp any interface outside eq 3394
access-list outside_access_in extended permit tcp any interface outside eq 3393
access-list outside_access_in extended permit tcp any interface outside eq 3392
access-list outside_access_in extended permit tcp any interface outside eq 3396
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 990
access-list inside_access_in extended permit ip any any
access-list acl_out extended permit tcp host 192.168.0.2 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.154 any eq smtp
access-list acl_out extended permit tcp host 192.168.0.7 any eq smtp
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.202 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.0.202 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 3340 192.168.0.220 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x1 pptp 192.168.0.7 pptp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x2 https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3395 name 3395 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 name 3391 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.227 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 name 3392 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 name 3393 netmask 255.255.255.255
static (inside,outside) tcp interface 3394 name 3394 netmask 255.255.255.255
static (inside,outside) tcp interface 3396 name 3396 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.201 255.255.255.255 0.0.0.0 0.0.0.0
filter url except name 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.145 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.0.238 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:74eba19208dba1bc6a5ad577045a422b
: end
asdm image disk0:/asdm-524.bin
asdm location x.x.x.x 255.255.255.255 inside
asdm location 192.168.0.7 255.255.255.255 inside
no asdm history enable

AC-ISAsked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:
Any ASA should be able to handle this amount of throughput.    Even the base 5505 can do 150 Mbps.  

So I would look at this:
url-server (inside) vendor smartfilter host 192.168.0.7 port 4005 timeout 30 protocol TCP connections 5

Seems that you have a webfilter setup to block/scan outbound http.     If you disable this filter, do you see better throughput?
0
 
ChopperCenturyCommented:
Even though the ASA can act as a default route router, I would advise you put a true router in front of the firewall. The ASA is not intelligent to advanced routing function.
0
 
AC-ISAuthor Commented:
Negative. That was my first thought. I shut it down completely, and removed the config from ASA. Got the same results.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
MikeKaneCommented:
The best next step would be to test throughput through the ASA.   Could you setup a host directly on the outside interface of the ASA such that its pingable on the outside interface.    Setup FTP on this host, then try accessing the host from the inside.   GET a large file and see what kind of through put you get.  

If the ASA handles this correctly, then we need to look at some logs of the ASA as you connect outbound.
0
 
gavvingCommented:
Check for duplex mismatch.  You have 'speed 100' hardcoded on int e0/0 and int e0/1.  Are you SURE that both of the devices you're plugging the ASA into are hard-coded for 100mbit/full?  If they are set to auto-negotiate then the negotiation will fail and one device will use half-duplex.  Check the output of 'show int' for errors on e0/0, or e0/1.  If you have errors, or either one says "half-duplex" then that's your problem.

I'd recommend removing the 'speed 100' setting and letting auto-negotiation work correctly.  Or ensure that everything is hard coded correctly.
0
 
AC-ISAuthor Commented:
After looking at the connections, and adjusting the URL filter. I noticed the speed increase to it potential by allowing 15 connections in the URL filtering line. Contacted Mcafee support, and they suggested leaving it as such, and there engineers will explore work around. Short story it was not the router at all but the URL filter Thx tons ! MikeKane.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.