Cisco WAN :: Performance Of ASA 5505 - Firewall Throughput
Oct 3, 2011
What is the difference between IP throughput routing throughput and firewall throughput
the reason is i am trying to spec a router for a mate who is setting up an online server for an old game ultima online which will have around 300-400 people each pulling around 10kb/sec
I recommended an 880 service router but when he spoke to a guy at the shop they said this would only run at 25mb/sec and he is plugging in to a 100MB/sec line
But the current router that is a home dlink which cost at most 60 Euros on a speed tester can pull 95mb/secI just don’t get how a 60 Euros router can download quicker than a 300-400 Euro router
They said try a ASA5505 that can do 150MB/sec of firewall throughput
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
what is the throughput of NM-16ESW and performance (mpps). I have 3845 router.All I've found on the datasheet: "Delivers up to 200 Mbps of bandwidth (full duplex) Layer 2; forwards and filters at full wire speed on each port".
Does it mean "200 Mbps full-duplex aggregate bandwidth availabe for all 16 i/f"? --> so the top limit of this network module.What is the throughput of a 3845 NM slot? NM-16ESW will be EOS by Nov 15, 2011. I could only find replacement for hardware except for newer IGR2 router (SM modules).
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:
- sending small packets from inside zone to outside zone, for example UDP packets without payload - this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus) - CPU load is about 1% (yes one!) to 2% all time !! (weird) - ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone) - if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF) - if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.
I have a Cisco 881 (without wifi model) connected to a 100Mb unmanaged switch and a cable modem with a 120Mb down, 10Mb up connection. When I connect the modem directly to my laptop, I can reach the 120Mb/s down and 10Mb/s upload speed. When I connect the modem to the 881, the max download is about 30Mb/s. Upstream 10Mb is no problem. I've been trying to change the duplex and speed settings on the FastEthernet4 interface, but this has only a worsening effect. I should be able to get about 100Mb/s (since switch is only 100) right?
The issue was about Cisco ASA5510 Sec Plus.2 Interfaces, LAN and DMZ.Both 1000 FD, no interface errors like CRC or something similar.If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.If i do the same using netperf in UDP (not TCP) I get the same in both directions.
Do some have some realistic performance numbers for a ASA 5505 on a mixed setup with local internet breakout and site to site vpn ( and don't tell me 150 mbps 3des throughput on a 100 mbps ethernet) - what can be expected in a live environment where we f.ex feed it with a 100 mbps internet connection - with a site to site vpn with f.ex 20 office workers running office on a remote terminalserver and mixed local internet breakout.
I'm new to the Networking world and am trying to establish a base for my network. I'm running ASA 5510 8.4(4), how can I measrue throughput ? In the ASDM, there is a nice feature for CPU, and the command show CLI also provides good info about CPU, but how can I get the throughput on a port basis ?
I'm not clear about the capabilities of the ASA 5510 GigE interfaces (eth0/0 and eth0/1) with an without IPSEC tunnels enabled.
This page [URL] shows a figure of 170Mbps 'Maximum 3DES/AES VPN Throughput'. Does that mean per IPSEC tunnel or for the whole interface if it is IPSEC-enabled?
Looking at the ASA spec sheets, the ASA 5510 has a firewall throughput of 300Mbps. Does this mean 300Mbps half duplex or full duplex?
We are looking to replace our current firewall. Peak traffic at the moment is 250Mbps upstream and 20Mbps downstream, max concurrent sessions is 24K. Will I need to look at a ASA 5520 for the replacement?
I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
I have a asa5580 with multiple interfaces. To replicate me databases to another site, I mainly use two interfaces on that firewall. Those interfaces have a steady pace, around 95%.
I am wondering when I should consider that the thoughput between those two interfaces is too much? Is there a good document that could explain me clearly why?
Also I want to be sure that I won't affect the normal traffic between the other interfaces. Is there a way to garantee certain traffic over others on an ASA? I don't have any router in me setup layer 3 role is perform by asa firewalls (static routes).
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
I am having poor performance through an IPSec VPN between two Cisco ASA 5505s. In researching, I found some discussion about setting the MTU for the VPN. So from one side of the VPN tunnel, I tried pinging a host on the other side specifying the Don't Fragment flag and testing different packet sizes. I found that a size of 1398 is the largest packet size that results in a successful ping.So, I also understand that I should be able to set the MTU to 1426 (1398 + 28 bytes for the IP and ICMP headers). What I'm not 100% clear on is where all I need to set this. Do I set the MTU for the outside interface of the ASA that the VPN tunnel is going through, or do I also need to set the MTU for the inside interface, or on the outside interface and the switch port that the interface is connected to (switch port is set to an MTU of 1500 as well)?My thoughts are that only the outside interface of each ASA needs the lower MTU (currently set at the default of 1500).
I have a Cisco PIx firewall that is connected to a cable modem with Time warner cable. I am supposed to have 35 down and 5 up for my speed on that modem. When I bypass the firewall and connect directly to the cable modem, I get download speeds in excess of 30 and upload speeds of about 5. However, when I connect via my workstation, which goes through the PIX, I am lucky to get speeds in the 1.2 for a download and 2-3.5 for the upload. I am using a laptop to test. We have gigabyte Cat5e cabling and gigabyte switches.
Below are statements from the config.The interface lines are per below:
interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown MTU outside 1500
How can i adjust this so I can make use of the 30 speed of the modem?
We are suffering slow https traffic download. We have a CISCO ASA 5550, Cisco Adaptive Security Appliance Software Version 8.0(5)19. When we try to download some videos from an https server we have a data download rate of about 140 kbps, but if we bypass the firewall and put a laptop just after the border router, data rate increase up to 350-400 kbps.
We configured a new interface in the firewall and we connected a laptop directly to the port in the ASA 5550, with a new ACL permit ip any any, just for test purposes, but data rate is still the same, 140 kbps.
We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco.
hostname(config)# class-map pptp-port hostname(config-cmap)# match port tcp eq 1723 hostname(config-cmap)# exit hostname(config)# policy-map pptp_policy hostname(config-pmap)# class pptp-port hostname(config-pmap-c)# inspect pptp hostname(config-pmap-c)# exit hostname(config)# service-policy pptp_policy interface outside
I'm having slow performance thru a Site to Site VPN. I have an ASA 5520 in each site with the version 8.2(4) in both ASA's. I have a 20Mb internet service in one side and in the other side I have 50Mb. When I transfer a file from the Sita A to Site B I get a transfer rate of 130KB/S.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
I'm integrating a Cisco ASA5505 with a Websense proxy. I have a configuration setup where we have four routers which are used for Internet access. There are two VLAN's - Guest and Private. What I would like to achieve is making the use of available bandwidth by load distribution via GLBP, and filtering users web traffic. Two routers will be used for a GLBP group in one VLAN, and the other two routers will be used for GLBP in another VLAN.The users are connected to a Cisco 2960 switch and are in their respective VLAN's. I'm planning a 802.1q trunk to a Cisco ASA from the 2960 switch, carrying both VLAN's.What I would like to know is if there is a CSC module (or similar) which has Websense installed on it, and if it is possible to setup the ASA5505 in transparent mode to filter the traffic in this way? Hopefully this would allow multiple users to take advantage of the additional bandwidth, and not be restricted by using a traditional proxy setup which where all web traffic would be originating from a single MAC address.
I have an issue with my firewall,each time i configured a trunk port in the firewall and connect a sw 2960S with a trunk port also, all the interfaces in the Firewall go down ( virutal intertaces, inside, outside , dmz) , also another switch 3750 that is connected to another port in the firewall( access port only) it start to a new negotiation of spanning tree.What could be causing this problem? the firewall didnt sedn bdpdu i think the IOS of the firewall its a 8.2
we are planning on connecting a new aquired company to ours soon?We will connect the remote site to the HQ via a D3. I've been told we will need to have a firewall between them and us for a time. I was thinking of terminating the D3 connection at the remote site of 80 users. Can I use the asr as a firewall as well, to protect the HQ from the Remote site - or should I use a seperate appliance?I was thinking of a asa5505 but, am concerned with bandwidth limitations of the box?
I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.