users behind asa5510 on both vlans10 and 20 have slow internet speeds (2Mbps down/170kbps up). carrier provides 13Mbps down/5mbps up and speed tests on another port on the asa 9Mbps/5mbps. There is no speed/duplex mismatch on the switch (cisco 2960) that asa port is connected to. what else could possible cause that ? cisco 2960 is in vtp transparent mode. mtu on both vlans is matched.
View 10 Replies
We have an ASA 5510 and are experiencing unbelievably slow speeds. I noticed a problem last Thursday with users complaining of slow speeds and realized our interface had a ton of errors and was running at half duplex. I contacted the ISP (we are connected to their 3750) and they swore up and down they were set to full. So they had me switch to full and the interface shut down. I asked them to switch to auto and the interface came back up and we went to full, and of course the errors and colisions stopped. However the errors and packet drops have not stopped. The ISP sent out a technician and they determined it wasn't a problem on their end by plugging in a laptop and testing the speed--that worked fine. Eventually I plugged in a Sonicwall and bypassed the ASA completely and that worked fine. We plugged the ASA back in and we we went back to dropping packets. I put an old config on the ASA and oddly enough it seemed to have fixed the problem but we were still dropping packets. So I put the most recent config back on and that worked fine up until today. We're back in the some boat we were last week. So my first question is when I do a show int and see packets dropped - is that normal because of ACLs etc, or would that be show in another place? Here's an output of show int and show asp drop:
HQ-ASA# show asp drop
Frame drop: Flow is denied by configured rule (acl-drop) 3366 NAT-T keepalive message (natt-keepalive) 423 First TCP packet not SYN (tcp-not-syn) 406 TCP failed 3 way handshake (tcp-3whs-failed) 135 TCP RST/FIN out of order (tcp-rstfin-ooo) 462 TCP SYNACK on established conn (tcp-synack-ooo) 46 TCP packet SEQ past window (tcp-seq-past-win) 50 TCP invalid ACK (tcp-invalid-ack) 9 TCP Out-of-Order packet buffer full (tcp-buffer-full) 29 TCP Out-of-Order packet buffer timeout (tcp-buffer-
[code]....
I have not made any configuration changes to the ASA ina couple of months. The interface counters were cleared about 45 minutes ago if that's how quickly the errors/packet drops are adding up.
I have installed a new ASA 5510 on our internal network as a termination point for our VPN connections. This ASA replaces the VPN termination on our outside ASA. I have setup a VPN group profile and enabled DTLS on the interface on this ASA. The only interface on this ASA is the inside interface. We have done speed tests while on the VPN from both devices. When connecting to the VPN on the outside ASA speed tests show download speeds between 5-8 Mbps and upload speeds of .80-.96 Mbps. When connecting to the VPN on the inside ASA speed tests show download speeds between 2-3 Mbps and .76 Mbps. When I run the "show web-session svc" command on both instances I see that the connection to the firewall on the outside shows that the protocol being used is DTLS however on the inside it doesn't show DTLS.
I think that part of the problem is that DTLS isn't being used. What can I do to improve my download speeds? Will the ASA use DTLS if the interface that is being used is the inside interface?
I have one Cisco ASA 5510 with 2611 router two 2960 switch how to configure.
View 1 Replies View RelatedI have two 5520s in a failover configuration. When browsing the internet behind them the speeds average 0.5Mb/1.0Mb Download/Upload. When bypassing the ASAs the speeds increase to 4Mb/6Mb. I have checked the interfaces on the ASAs and there are no errors, collisions, drops, etc.
View 7 Replies View RelatedOur internet connection is connected to an ASA. The download speed is ok but the upload is very slow. we have been running some speed test from our LAN, and have been also trying to upload/download file.
Our ASA also have the IPS module. I turned this off but we've got the same result.
I send here attach the configuration file of the ASA.
I have a mysterious problem with my Internet connection. The Edge topology is in the attachment so are the most important "show" commands. We have a 50Mb/s symmetric Internet connection. When we use Internet through ASA the download speed does not exceed 3Mb/s whereas the upstream is at about 45Mb/s. When we connect our LAN directly to 2960 the downstream increases dramatically up to 47Mb/s whereas the upstream remains at about 45Mb/s. Duplex is manually set to 1000/full on all interfaces. All that I have noticed are dropped packets on outside interface (Gi0/0). The reason is unclear.
View 6 Replies View RelatedI have a synchronous 10 Mb connection to my isp which I have conneted to a CISCO asa 5510. I have done a lot of testing and there is a very noticable difference in my upload/dowload speeds.When I connect a laptop directly to the Cable from my ISP's equipment and have the NIC set to autosense, I get similair results for Download/Upload Speeds I have tested and get 9 plus down and 8 plus up.When I either connect the asa directly to this cable and set to either 100/Full or autosense OR I place a non-managed switch in between the asa and the ISP's equipment My upload speed drops dramataically. The Download speed stays about the same 8 Mb Plus but my upload falls off the face of the earth drops to about a 1Mb. I have noticed this many times when I am going from a cisco 800 series router to a Cisco ASA.This is severely limiting my ability to perform replication out from my locale.
View 7 Replies View RelatedI have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
My ASA 5510 IOS version 8.4.2 CSC IOS version is 6.6.1125,I configured ACLs and Class maps to forward all HTTP,HTTPS,SMTP,PoP3 and FTP taffic to CSC.Here my issue is my CSC not getting updating from the internet and some email sites like Webmail and Gmail are not taking forward after entering credintials. If i removed ACL belongs to the HTTPS , all are working fine( CSC updating well and all email sites are working.)
View 1 Replies View RelatedIs it possible to have a Cisco ASA5510 with two internet connections performing as follows.
Internet A---------All traffic except LAN to LAN vpn
Internet B---------LAN to LAN vpn
I cant find anything definitive on google to say it will or wont, i know it cant do policy based routing.
I've created a DMZ on ASA5510, it can access anything internal but cannot get out to internet. I cannot manage the ASA from the DMZ subnet neither.
View 6 Replies View RelatedI implemented a ASA5510 with latest software version. I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.But internet is not working.Did i miss any configuration?i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
View 6 Replies View RelatedI can't seem to get internet access working from the DMZ network through our ASA 5510. PCs on the DMZ can ping the ASA but can't get out to the internet.I will attach a (cleaned) configure.
View 3 Replies View RelatedWe are in the process of getting two new connections pulled in that I would like to utilize in the following configuration.
DS3 - 45/45 I would like to use this circuit for all of our servers to NAT out of as well as our VPN tunnel to our remote site. It will be much more reliable than our cable line.
Cable Internet - 50/10 I would like to use this for all internet traffic that users generate. I would like to be able to fail over to the DS3 if this line goes down.
To get all traffic go out the cable line would take a dynamic NAT rule and a default route. How would I automate a failover to the DS3 with a backup route and dynamic NAT rule?
I understand that if the DS3 goes down it will take manual intervention to bring the tunnel back up and servers with static NAT will need reconfiguration.
I can get access to the internet from the ASA 5510 itself and that is confirmed via pings. However, anything behind the ASA does not have internet access, on any VLAN/sub-interface. I've attached my running-config.
View 2 Replies View Relatedthe set-up is: a DSL modem in half bridge (it does all the PPPoE connection) passes our static IP (55.167.x.x) to the ASA's outside interface ... (the modem has an IP of 192.168.1.1, but not sure this matters)
then I have one inside interface on 192.168.43.1, which connects to a server and we have a working site-to-site VPN between this server and a client.. so I know most of it's set up right ... nothing else is on the 192.168.43.0/24 network.
the management interface is on 200.200.1.0/24 so it's out of the way and incidentally connected to a dedicated PC, which also has console access via the blue serial cable.
the last interface Main_Network is on the 192.168.0.0/24 network and it's this that I'm trying to get to work... at the moment I just have one Windows PC connected directly (does it need to go through a switch?) into the ASA for testing with a static IP (192.168.0.72), but I can't ping anything outside from the PC... only the ASA's interface (at 192.168.0.30).. I have the gateway on the PC set as 192.168.0.30 by the way.
The ASA can ping all the inside machines and anything I like outside.
Here's my config ... the static routes are there for when this replaces the current modem/router and the whole network plugs into the ASA.
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
[Code]......
I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config
ASA Version 8.4(2)
!
hostname xxxx
domain-name xxxxx
enable password xxxx encrypted
passwd xxxx encrypted
names
[code].....
I have installed ASA 5510 to limit sessions of Users to 170. But as soon as i put it infront of network before router, Internet goes down and i cannot browse or something.
The network is simple, Cisco three layer model with users on Wired LAN/Wireless LAN using WLC. Approx 2500-3000 users.
[code]...
My Belkin F7D4301 Router has the fastest wireless speed of maybe 2MBps but wired with a cat5e cable to my asus laptop of almost 7MBps. I have a one smart TV, one blue ray, one roku, and a nexus 7 using the 2.4 channel.
My Wireless 2.4 settings are channel 11, Extension channel 7, Wireless mode N (have tried with just g and b, g, and n modes), Bandwidth 20/40, Protected mode on, QOS off.
I've talked to Belkin tech support, they are the ones who had me set up my 2.4 channel this way but my wireless speeds stay just under 2MBps, they just want to keep sending me the same model Router because they think each of the new ones they send me is defective.
Am I doing something wrong or is 2MBps the best wireless speed I'm going to get?
I had an experience this week of installing a 5510 ASA with 8.4.3, also tried 8.4.4(1) with the strange effect that I randomly was losing contact with the internet. The interface stayed up/up. no errors or what so ever on the interface. Reseat of the DSL wire no result. Reseat of the outside interface cable made it work again. And after some time lost connectivity again. It did not recover by itself so had to let someone do a reseat again and again and.... The outside was using DHCP client. A lease was given and an IP also. Nothing strange to find. Talked to the provider which could see the DSL and the DHCP lease. Finally I downgraded the firmware to 8.4.2 and the problem was solved.
output
interface Ethernet0/0
nameif outside
[Code].....
I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping url... and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly.
View 7 Replies View RelatedI have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)
[Code].....
We are using an ASA 5510 as our gateway to our ISP. All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls. Our pipe to the Internet is 100Mbps metro ethernet. I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing. However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device. I could police traffic on the inside interface of the ASA. However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection. I could police this incoming (from the Internet) traffic on my outside interface of the firewall. This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped? Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.
View 1 Replies View RelatedWe have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this, It the computer is bypassing the CSC, it gets This was done when there's very low traffic on the LAN and CPU is low usage on the CSC. The CSC has been re-imaged also but still doesn't solve the problem.
View 6 Replies View RelatedI have an ASA 5510. I am doing a new install at our new data center. I am having trouble getting internet access from an inside LAN interface to the outside WAN interface.Our colo center has given us the below IP info. [code]If I do a static config on my laptop of IP 198.145.XXX.82 Mask 255. 255. 255. 240 DG 198.145.XXX.81 I am able to get the web fine from the line in our rack. I used the ASDM software to setup the ASA. I set its WAN IP of 198. 145. XX X. 82 and mask as 255.255.255.40 for interface 0/0. For interface 0/1 I made a management LAN of 192.168.180.1 with mask of 255.255.255.0.I can connect to my LAN ok but do not have outside internet access. I have also tried .80 and .81 for the WAN IP of the ASA. [code]
View 8 Replies View RelatedI have to configure a default-factory firewall (ASA 5510) in a simple scenário like this image represents:At this moment i have configured the interfaces as represented above and at this moment what i want is grant access from a LAN computer (10.10.0.0/24) to the internet.
Should i configure some acl? I read that all traffic from an interface with a superior security level to other interface is allowed, so since my inside interface has a security level of 100 and the outside 0, it should be possible access to internet from an inside computer?!
From all configurations and examples i have seen around, they all contemplate a fixed IP address from the ISP, but in my scenário i have a dynamic one. This fact matter for the configuration i want to do?
My firewall is running the software version 8.2(5).
Cisco ASA 5510 and I want to configure it as an access gateway following this .[URL] the basic configuration steps on what to do on ASDM.
View 2 Replies View RelatedI need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:
ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....
we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion). the problem is that the connexion internet is slow in the inside (lan). our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex). the asa have base lisence.here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.
firewall# show run
ASA Version 8.2(1)
!
hostname firewall
domain-name xxx.xx
enable password dgft12ghkHKM123Z encrypted
passwd dgft12ghkHKM123Z encrypted
names
[code]...
We need to deploy a Cisco ASA 5510 behind the Internet facing router for Remote Access VPN (RAVPN). We bought the block of 16 IPs (in a different subnet) which is routed through the main router (69.x.x.x)and configured the outside interface of ASA with a public IP 64.x.x.x and subnet mask 255.255.255.240. Below is the network structure.
But, we can't access the ASA by it's public IP.
DSL Modem → RV082 router → Switch → LAN
(69.x.x.x) ↑ (192.168.0.0)
Cisco ASA 5510
(outside: 64.x.x.x, inside: 192.168.0.172)
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com
[code].....
What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.
View 1 Replies View Related
