Cisco Firewall :: ASA 5510 High Traffic On Outside Interface

Jul 31, 2012

I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today.  On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 7.2.1 High Traffic On Outside Interface Very High Input?

Oct 13, 2011

Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today.  On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 High Drop Count On Management Interface

Sep 4, 2012

I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Ftp Traffic Passing On 1 Interface But Not Another?

Dec 20, 2011

FTP traffic routed from outside to the inside interface works fine.  I have another interface with multiple sub-interfaces and vlans configured.  FTP traffic routed from the outside to vlan2_servers is not making it through the firewall.  I must be missing something.  I have attached my config.

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Can't Move Traffic From DMZ To Outside Interface

Jan 16, 2012

I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the  outside interface

View 1 Replies View Related

Cisco WAN :: Allow ICMP Traffic On ASA 5510 From LAN Interface To DMZ?

Jul 17, 2012

I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin

:
ASA Version 8.2(2)
!
hostname fw-01
names
!
interface Ethernet0/0

[code]....

View 1 Replies View Related

Cisco Firewall :: PIX 501 / Can Traffic Goes From Inside Interface To Outside Interface

Oct 9, 2011

I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
 
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
 
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
 
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside

View 7 Replies View Related

Cisco Firewall :: Traffic With 5505 Goes To High To Low

Jun 25, 2012

My understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.

View 2 Replies View Related

Cisco WAN :: ASA 5510 - Outside Interface Stops Sending And Receiving Traffic

Aug 8, 2012

Cisco ASA 5510.  Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses.  Ping from console fails to ISP router IP. Ping to google name server failes.  I have reset to factory default only setting up nic and natting and it still happens. 

View 2 Replies View Related

Cisco Firewall :: High Memory Utilization On ASA 5510

Sep 13, 2012

We recently added about 400 users to our network for a total of 1000.  Looking at the ASDM we are holding very tight to 75% utilization and we have 256mbs.  This is also running IOS 8.2(1).  Our firewall recently crashed after a major download was forced through it.  This was after only being booted up for about a week.  We had reloaded it a week prior after having ran it for about a year without issue.  We havent made any changes in the last month other than adding more users to our network.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 And 2960S - CSC SSM High CPU Usage

Jan 28, 2013

I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.

View 1 Replies View Related

Cisco WAN :: 2801 High CPU Load / Low Traffic / High Interrupts

Nov 26, 2012

We installed a solution with 2 Cisco 2801, BGP multihomed failover.
 
1) The router which is currently getting all the traffic gets to 55% to 60% of CPU usage when handling 40 SIP/RTP streams . This equals 10Mbit up/10Mbit down and it showed around 5800 packets TX and around 5800 packets RX, with a majority of them CEF switched. As those figures are way less than the performance figures published by Cisco, we wonder if we made any mistake in setting up our router, or if we can do something to improve the router setup.
  
2) Does it have an impact on router performance if we increase/decrease RTP packet size, thus increasing or decreasing the pps relative to the consumed bandwidth?
  
3) If it is not possible to improve router configuration, we also wonder about possible replacement units for those routers. Would a 2901 do a good job? By how much would it rise the capacity? What other models would you recommend if we plan to rise the number of concurrent calls by a factor of 4 or even 8 times of what we have now (so up to 48000 pps and 80Mbit).
  
Here is what we tried:

- ip route-cache same-interface does not seem to improve anything

- ip flow ingress on or off makes no difference

- disabling the inbound ACL on fa0/0 seems to reduce load by 10%, although I don't understand why - a very high percentage is CPU interrupts, and ACLs are process switched, or not?

- we tried following the Cisco guide for high CPU due to high interrupts, with no success
  
Here are some usage statistics: 
 
The graphs that we plot via SNMP show a propotional growth/increase of CPU and bandwidth (and thus pps) At the highest loads, we had a bit more than 55% CPU utilization with more than 50% interrupt CPU.
 
CPU utilization for five seconds: 36%/30%; one minute: 30%; five minutes: 30%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
127       13140         954      13773  2.00%  0.29%  0.07% 194 SSH Process  

[Code].....

View 8 Replies View Related

Cisco WAN :: 2821 When Traffic Is Less Error Rate Is Low But With High Traffic It Is Increasing Drastically

Dec 11, 2010

We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]

View 8 Replies View Related

Cisco Firewall :: Unable To See Interface On ASA 5510 Firewall?

Jul 29, 2012

I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
 
Below is the output.
ciscoasa# sh int ip br Interface                  IP-Address      OK? Method Status                Protocol Ethernet0/0                x.x.x.x           YES CONFIG up                    up Ethernet0/1                x.x.x.x           YES CONFIG up                    up Ethernet0/2                unassigned      YES unset  administratively down down Internal-Control0/0        127.0.1.1       YES unset  up                    up Internal-Data0/0           unassigned      YES unset  up                    up Management0/0              192.168.1.1     YES CONFIG up                    up

View 8 Replies View Related

Cisco Firewall :: Cross Interface Traffic ASA5505

Mar 12, 2012

I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network.  I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network.  The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need?  How do I setup the rules to allow this traffic?

View 2 Replies View Related

Cisco Firewall :: 5510 / DMZ To Outside Only Traffic?

Nov 28, 2011

I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
 
P.S.: I'm using a 5510 machine running version 8.2

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - VPN From DMZ To Outside Interface

Mar 20, 2011

Have an ASA 5510. Setting up a new DMZ zone for wireless and it will only have Internet access. What are the steps so that users on this new DMZ subnet can VPN into the Outside interface on the same ASA?

View 4 Replies View Related

Cisco Firewall :: NASA5510 Working Traffic Inside Of Same Interface

Oct 13, 2012

I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
 
1. The Subnet of the main office (192.168.1.253)

2. A router  (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
 
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Dropping UDP / 53 Traffic On Inside Interface?

Jul 21, 2012

We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
 
here is output from our sys log:

SyslogID   Source IP      Dest IP    Description
305006      172.18.22.3                   portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
 
To give some clarification:

172.18.22.3      is one of our DNS servers
172.18.22.156  is a device we're experimenting with.
 
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
 
: Saved 
:
 ASA Version 7.2(3)
 !
 hostname [redacted]

[code].....

View 5 Replies View Related

Cisco Firewall :: 6509-E / Traffic Coming From GRE Interface And Going Further Through FWSM?

Oct 4, 2011

I have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
 
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0,  SW 4.1(4) 
 
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).

View 5 Replies View Related

Cisco Firewall :: ASA5505 - Routing Traffic From VPN Clients To Interface?

Sep 17, 2011

I have two attachments that show my basic network layout.  I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place.  I can also get from Workstation 2 to Workstation 3 just fine.  But I'm having issues when I try to get from the VPN client to Workstation 3...  What would I need to do enable to get to Workstation 3 from the VPN client?  IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.

View 10 Replies View Related

Cisco Firewall :: Force ASA 5520 Traffic Out Specific Interface

Jun 1, 2011

I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet.
When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
 
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?

View 6 Replies View Related

Cisco Firewall :: ASA 5505 - All Traffic From Guest VLans To Always Go To Outside Interface

Mar 15, 2013

I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections.  I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.

View 5 Replies View Related

Cisco Firewall :: Does ASA 8.4 Automatically NAT Outgoing Traffic To Outside Interface By Default

Apr 25, 2012

For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?

For example

ASA inside int---10.1.1.1
outside int---120.11.1.1

when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?

View 7 Replies View Related

Cisco Firewall :: Determining All Traffic In And Out Of ASA 5510?

May 20, 2011

Just wondering if there are any methods or commands, natively, in the asa5510 for determining all traffic in to and from a certain server passing through the asa.  This would be without a syslog server or something similar.

View 3 Replies View Related

Cisco Firewall :: Traffic Delay ASA 5510

Mar 11, 2013

Core Internal Network -> Cisco ASA 5510 -> DMZ Switch.If i send a ping reguest from internal network to servers in DMZ Switch over the ASA 5510, i can see a delay in response, some times this delay can be more than 80ms, this is a problem for the web applications in http traffic.How i can find what's happening on my ASA? I disable the inspect traffic over the IPS, disable the policy maps below, reload the two boxes, but doesn't works, the problem still persists. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 With 8.4.1 - Traffic Is Not Flowing

Mar 27, 2011

I'm currently using ASA 5510 with software 8.4.1 and I have an issue with nat configuration. I used the following config line:nat (inside, dmz) source dynamic LAN Pat1 destination Server1 Server1
 
The traffic is not flowing and when I use Packet Tracer, packets are dropped at the NAT rule with the following error: Drop-reason: (acl-drop) Flow is denied by configured rule.The only ACE I have is permit ip any any.

View 2 Replies View Related

Cisco Firewall :: ASA-5510 - SIP ACL Traffic Not Working

Jun 11, 2013

I have an ASA with an outside ACL that is configured to allow 208.84.248.95 SIP/5060 to 1x.x.x.46.  I show no hits.  I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface.  I see hits on the vuong ACL but not the production acl_out ACL..  What is up?
 
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network. 
FW1(config)# sh access-list | i 1.x.x.46
access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387  (*NO HITS)
access-list acl_out line 658 extended permit udp host 208.84.248.95 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179  (NO HITS)
[code]...

It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46.  We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
 
ccess-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0x2759fa92
FW1(config)# q
FW1# capture capture1 access-list vuong interface outside
[code]...
 
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to .  By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP.  Looking below, no traffic appeared on the capture2.
 
FW1# capture capture2 access-list vuong interface ServProv
FW1# sh capture capture2
0 packet captured
0 packet shown
[code]...
 
Capture 1 above shows the last 3 incoming messages initiated from 63.x.x.140 to the 1x.x.x.46! Vuong ACL belows shows 3 more hits.....nothing on the acl_out ACL???
 
FW1# sh access-list vuong
access-list vuong; 1 elements; name hash: 0x29df3e90
access-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=6) 0x2759fa92
[code]...

View 1 Replies View Related

Cisco Firewall :: ASA 5510 No Traffic Flowing?

Jul 12, 2011

I have manually configured the Firewall ASA 5510 from existing PIX to match the configuration, however when I connect the firewall to the Network, no traffic is flowing in either direction. I have the Inside network on the 172.29.0.0 subnet and the outside network on 20.2.0.0 subnet. I am attaching the cofiguration file.

View 4 Replies View Related

Cisco Firewall :: 5510 Allow Traffic Inside To Outside

Nov 18, 2011

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
 
-Host IP on inside network  - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - Web Interface And SSL VPN Pass Through?

Mar 1, 2011

I have a trouble with Cisco ASA 5510. I configured an SSL VPN with bookmarks to some application. When the users make access to the Web Portal they have to login twice: one for enter in the SSL and one for enter in the application.
 
How to bypass double authentication?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Routing Between Interface

Mar 26, 2013

I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
 
sh run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 7 Replies View Related

Cisco Firewall :: Route To Same Interface On ASA 5510?

Sep 14, 2011

I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100.  In this URL, [URL], ASA is able to do that.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved