Cisco Firewall :: ASA5585X - Packet Rate On Inside And Outside Interface Doesn't Match
Oct 24, 2012
I am doing some per-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in.
laptop --- ASA --- PC
I send 6k TCP SYN pkt at interface rate from the laptop targeted at PC. No packets are dropped by Ac Ls or policies and can be sniffed at the PC.
Show interface commands show:
sh int inside:
... ...
Traffic Statistics for "inside":
...
1 minute input rate 23 pkt/sec, 1303 bytes/sec
1 minute output rate 4454 pkt/sec, 820757 bytes/sec
sh int outside:
... ...
Traffic Statistics for "outside":
...
1 minute input rate 885 pkt/sec, 70847 bytes/sec
1 minute output rate 7 pkt/sec, 425 bytes/sec
I would expect that if 885 pkt/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...? Why this is not the case? The packet rate is about 5x and the data rate is about 10x greater.
View 6 Replies
ADVERTISEMENT
Aug 2, 2012
I'm using Pix 501 with firmware: Version 6.3(3)I have problem with Pix 501:
+ transfer rate data between interface outside and inside very slow, even between 2 interface inside.
+ I have test file transfer between 2 PC connect via interface inside.
+ Results transfer 1 file 1MB with total time 60s
I don't upgrade software current from 6.3(3) to 6.3(5) via TFTP. It's error Please see attach file.
View 2 Replies
View Related
Mar 13, 2013
I have configured a vlan interface on a 3750 switch. there is aprox 4Mb active traffic flowing through the interface, but when I do a "show interface vlan (vlanid)" the output show zero bits in and zero bits out. Its a typical L3 config with one IP on the vllan interface acting as the gateway for the VLAN devices. Is this a normal behaviur ? and if so is there any way to get the traffic in/out stats. The end PC/devices are connected to this switch via an L2 TRUNK and I dont have access to the L2 switch on which the actual devices connect. so cant get the real time stats of those interfaces.
View 2 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Mar 3, 2013
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
View 6 Replies
View Related
Apr 12, 2012
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed. We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable. I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up. I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports. I also turned off the IPS and that made no difference. In addition I have checked the CPU during download/upload (max): CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520
Maximum firewall throughput (Mbps): 450 Mbps
Maximum firewall connections: 280,000
[Code].....
View 1 Replies
View Related
Feb 19, 2012
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Jan 17, 2013
I am trying to upgrade a Cisco ASA over an IPSEC VPN tunnel. My FTP server is on the remote side of the VPN tunnel but I am initiating connections from the inside interface of the firewall. I am currently managing the Firewall over the VPN via it's inside interface (using the management-access inside) command. When I try and update via FTP, the connection is going straight out the outside interface (and not across the VPN tunnel) I have tried upgrading via TFTP but it keeps stopping randomly with (unspecified error) I normally upgrade via FTP though but it's not working in this instance. Essentially what I am asking, is is there an equivalent command for FTP that there is for TFTP: tftp-server interface ip anyconnect I need the connections to originate from the inside interface so they traverse the VPN. I am running 7.2.3?
View 2 Replies
View Related
May 10, 2011
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies
View Related
Apr 23, 2012
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
View 3 Replies
View Related
Jun 7, 2013
I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.
View 7 Replies
View Related
Apr 13, 2013
I ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
View 5 Replies
View Related
Apr 24, 2012
the inside interface on our primary ASA seemed to "hang". It dropped all the packets it received. Because the interface didnt go down, failover didn't happen. Device's info;
-Cisco Adaptive Security Appliance Software Version 8.2(3)
-Device Manager Version 6.3(3)
-Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
-Internal ATA Compact Flash, 256MB
-BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
I attached a capture picture shows that traffic didnt go to the roof when the issue happened. Why the interface would "freeze" randomly?
View 1 Replies
View Related
Feb 5, 2012
i have here a ASA 5510 sec k9.
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
But my Config doesn't work. And I have no Plan why .....
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
ciscoasa(config)# exit
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)
[Code].....
View 2 Replies
View Related
Dec 12, 2011
I have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
View 4 Replies
View Related
Mar 7, 2012
I'm trying to NAT SIP registration from OUTSIDE interface to Inside interface on ASA
View 1 Replies
View Related
Apr 4, 2012
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
[code]....
View 4 Replies
View Related
May 13, 2013
I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, (Slow access with ASA to a web server, but fast with PIX to the same web server)?
P.S. Addresses in attached picture config are not real, but I know what they translate to.
View 4 Replies
View Related
Jun 28, 2012
we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is 199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface access the NAT'd IP which is assigned to the server
LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server).This is an ASA 5510 with 8.4.
View 10 Replies
View Related
Jul 5, 2012
I have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
View 1 Replies
View Related
Mar 31, 2013
I have a PIX 515e running version 7.2(4).I have 2 interfaces - DMZ3 (sec lvl 50) and LAB (sec lvl 100) behind the pix. There is also the OUTSIDE interface (sec lvl 0) which connects to the internet.In DMZ3 I have a webserver - x.x.124.217/24 (host is NATed via static command to public IP)In LAB I have a server - x.x.1.203/24 (entire range is NATed via NAT/Global statements to public IP)The server in LAB needs to access a webserver in DMZ3. From the internet both of these hosts have public addresses that are NATed into the inside addresses. I can reach the webserver from the internet, but not from the LAB interface.I think I have to add a static command so that the LAB host can access the DMZ3 host without accessing the internet.
View 3 Replies
View Related
Oct 13, 2012
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
View 4 Replies
View Related
May 6, 2012
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
View 5 Replies
View Related
Mar 29, 2011
I have inherited an ASA 5520. In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP. I am trying to understand the purpose of this route or why a route would be setup this way.
Example Static Route:
Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)
View 2 Replies
View Related
Jul 21, 2012
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description
305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers
172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved
:
ASA Version 7.2(3)
!
hostname [redacted]
[code].....
View 5 Replies
View Related
Feb 12, 2013
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
View 1 Replies
View Related
Mar 9, 2011
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
View 2 Replies
View Related
Jan 3, 2012
so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
Code...
View 10 Replies
View Related
Apr 6, 2011
I have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
View 2 Replies
View Related
Nov 24, 2012
We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies
View Related
Apr 28, 2013
I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
I need to ping the 192.168.10.250 from the 192.168.5.55:
ASA Version 8.0(5)
interface GigabitEthernet0/1
nameif inside
[Code].....
View 2 Replies
View Related
Jun 17, 2012
I'm trying to attach tacacs server (ACS Version 5.2) in server group on ASA 5520 (Version 8.4). When I test connection in ASDM (Version 6.4) between ASA and ACS it fails. The log message on ASA is:
%ASA-2-106016: Deny IP spoof from (10.8.27.126) to 10.8.48.10 on interface inside.
Packet-tracer from ASA is:
InternetASA# packet-tracer input inside tcp 10.8.27.126 4444 10.8.48.10 49
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
[code]....
What access-list or implicit rule may be the reason of denying these packets?
View 2 Replies
View Related