Cisco Firewall :: ASA 5510 High Traffic On Outside Interface
Jul 31, 2012
I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (22.214.171.124) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 126.96.36.199 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 188.8.131.52 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
Cisco ASA 5510. Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses. Ping from console fails to ISP router IP. Ping to google name server failes. I have reset to factory default only setting up nic and natting and it still happens.
We recently added about 400 users to our network for a total of 1000. Looking at the ASDM we are holding very tight to 75% utilization and we have 256mbs. This is also running IOS 8.2(1). Our firewall recently crashed after a major download was forced through it. This was after only being booted up for about a week. We had reloaded it a week prior after having ran it for about a year without issue. We havent made any changes in the last month other than adding more users to our network.
I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.
We installed a solution with 2 Cisco 2801, BGP multihomed failover.
1) The router which is currently getting all the traffic gets to 55% to 60% of CPU usage when handling 40 SIP/RTP streams . This equals 10Mbit up/10Mbit down and it showed around 5800 packets TX and around 5800 packets RX, with a majority of them CEF switched. As those figures are way less than the performance figures published by Cisco, we wonder if we made any mistake in setting up our router, or if we can do something to improve the router setup.
2) Does it have an impact on router performance if we increase/decrease RTP packet size, thus increasing or decreasing the pps relative to the consumed bandwidth?
3) If it is not possible to improve router configuration, we also wonder about possible replacement units for those routers. Would a 2901 do a good job? By how much would it rise the capacity? What other models would you recommend if we plan to rise the number of concurrent calls by a factor of 4 or even 8 times of what we have now (so up to 48000 pps and 80Mbit).
Here is what we tried:
- ip route-cache same-interface does not seem to improve anything
- ip flow ingress on or off makes no difference
- disabling the inbound ACL on fa0/0 seems to reduce load by 10%, although I don't understand why - a very high percentage is CPU interrupts, and ACLs are process switched, or not?
- we tried following the Cisco guide for high CPU due to high interrupts, with no success
Here are some usage statistics:
The graphs that we plot via SNMP show a propotional growth/increase of CPU and bandwidth (and thus pps) At the highest loads, we had a bit more than 55% CPU utilization with more than 50% interrupt CPU.
CPU utilization for five seconds: 36%/30%; one minute: 30%; five minutes: 30% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 127 13140 954 13773 2.00% 0.29% 0.07% 194 SSH Process
We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output. ciscoasa# sh int ip br Interface IP-Address OK? Method Status Protocol Ethernet0/0 x.x.x.x YES CONFIG up up Ethernet0/1 x.x.x.x YES CONFIG up up Ethernet0/2 unassigned YES unset administratively down down Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 192.168.1.1 YES CONFIG up up
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?
I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
P.S.: I'm using a 5510 machine running version 8.2
Have an ASA 5510. Setting up a new DMZ zone for wireless and it will only have Internet access. What are the steps so that users on this new DMZ subnet can VPN into the Outside interface on the same ASA?
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description 305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers 172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved : ASA Version 7.2(3) ! hostname [redacted]
I have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
Here is the detailed info: WS-C6509-E with WS-SUP720-3B FWSM HW 4.0, SW 4.1(4)
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet. When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?
I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
Just wondering if there are any methods or commands, natively, in the asa5510 for determining all traffic in to and from a certain server passing through the asa. This would be without a syslog server or something similar.
Core Internal Network -> Cisco ASA 5510 -> DMZ Switch.If i send a ping reguest from internal network to servers in DMZ Switch over the ASA 5510, i can see a delay in response, some times this delay can be more than 80ms, this is a problem for the web applications in http traffic.How i can find what's happening on my ASA? I disable the inspect traffic over the IPS, disable the policy maps below, reload the two boxes, but doesn't works, the problem still persists. [code]
I'm currently using ASA 5510 with software 8.4.1 and I have an issue with nat configuration. I used the following config line:nat (inside, dmz) source dynamic LAN Pat1 destination Server1 Server1
The traffic is not flowing and when I use Packet Tracer, packets are dropped at the NAT rule with the following error: Drop-reason: (acl-drop) Flow is denied by configured rule.The only ACE I have is permit ip any any.
I have an ASA with an outside ACL that is configured to allow 184.108.40.206 SIP/5060 to 1x.x.x.46. I show no hits. I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface. I see hits on the vuong ACL but not the production acl_out ACL.. What is up?
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network. FW1(config)# sh access-list | i 1.x.x.46 access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387 (*NO HITS) access-list acl_out line 658 extended permit udp host 220.127.116.11 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179 (NO HITS) [code]...
It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46. We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to . By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP. Looking below, no traffic appeared on the capture2.
I have manually configured the Firewall ASA 5510 from existing PIX to match the configuration, however when I connect the firewall to the Network, no traffic is flowing in either direction. I have the Inside network on the 172.29.0.0 subnet and the outside network on 18.104.22.168 subnet. I am attaching the cofiguration file.
I have a trouble with Cisco ASA 5510. I configured an SSL VPN with bookmarks to some application. When the users make access to the Web Portal they have to login twice: one for enter in the SSL and one for enter in the application.