ASA 5505 Slow Internet/Strict Nat/Settings

Kevin Ware — Tue, 12 Mar 2019 09:05:11 GMT

I've been scratching my head on this one for the past few days. I cannot figure it out and I'm sure it's something I'm missing. I could really use somebody's help.

So I recently installed a Cisco ASA 5505 and finally got it configured and up and running. I have internet access. However, it's extremely flakey and slow. Before hand I was getting 90~down and 25~up. Now it's 20~down (maybe) and 5~up. Also getting a STRICT NAT on my Xbox One.

Here's my network setup to kind of paint a picture.

------------------------------------------------------------------------------------------

ISP--> MODEM --> ASA 5505 --> PATCH PANEL --> CATALYST 3550 SWITCH

------------------------------------------------------------------------------------------

So the ISP goes to Modem, Modem goes into the ASA, the ASA goes into the Patch panel, then Patch panel to Cisco Switch. The other machines in the house go into the patch panel and then into the switch.

Also, my neighbor is our DHCP server. A CAT6 cable is running from his house to ours and plugs directly into the switch. That's never been an issue though.

Here's the Running-Config on the Catalyst 3550 Switch:

Current configuration : 4455 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname bmasswitch
!
enable secret 5 XXX.
!
no aaa new-model
ip subnet-zero
!
!
!
crypto pki trustpoint TP-self-signed-4155860992
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4155860992
revocation-check none
rsakeypair TP-self-signed-4155860992
!
!
crypto pki certificate chain TP-self-signed-4155860992
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313535 38363039 3932301E 170D3933 30333031 30303031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31353538
36303939 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C442 B3578F33 2B8941B1 BCF4D4E5 A09A926E D176104C 81B3E6E3 A21CB279
5EB9BC87 2222CE2A 8B41EAFB 26E7F85B 40EEA546 3298DE98 DC162E41 A4C2583B
F63EA522 10B0DADD D58770FC 6F50C04F 975FD969 E1D07F94 EB60E24B E9F0BC2D
9A3E1477 71751A25 DF6D6788 3299840E 5E4201FD E11139E5 FF2194E5 10296F15
04170203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B626D61 73737769 7463682E 301F0603 551D2304 18301680
14EF6569 8BFEAD3C 68F6CFA6 1A40A0B9 EE795FEA AE301D06 03551D0E 04160414
EF65698B FEAD3C68 F6CFA61A 40A0B9EE 795FEAAE 300D0609 2A864886 F70D0101
04050003 81810080 01862D72 83EC7319 59922A94 F46203F2 DF640071 C1A9F280
86C646FF 45AB7D14 9C13F10F 7149EDEF 9486602F 841864D8 DA683335 E0C80E3B
03A172EC 6DB665E1 5CCDA8BF 20B3176D B90EF134 B1288E3D FF693850 DCC3D8E2
5BB66523 889C7197 E0151357 85A3EA7A 1E48A2CB 24CF6A4E 8C7AFC7E 2A5C13F3
F10E3115 0F9282
quit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/2
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/3
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/4
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/5
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/6
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/7
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/8
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/9
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/10
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/11
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/12
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/13
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/14
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/15
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/16
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/17
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/18
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/19
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/20
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/21
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/22
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/23
switchport mode dynamic desirable
speed 100
!
interface FastEthernet0/24
switchport mode dynamic desirable
speed 100
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway XX.XX.XX.XX
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
banner motd ^Coto

***************************************************

UNAUTHORIZED ACCESS IS PROHIBITED!

***************************************************^C
!
line con 0
exec-timeout 30 0
password 7 XXX
logging synchronous
login
line vty 0 4
exec-timeout 30 0
password 7 XXX
logging synchronous
login
line vty 5 15
login
!
end

Running-Config on the ASA 5505:

ASA Version 8.2(5)
!
hostname bmas
domain-name nd.local
enable password XXX encrypted
passwd XXX encrypted
names
name XX.XX.XX.XX Xbox1 description Kevins Xbox
!
interface Ethernet0/0
switchport access vlan 11
speed 100
!
interface Ethernet0/1
speed 100
!
interface Ethernet0/2
speed 100
!
interface Ethernet0/3
speed 100
!
interface Ethernet0/4
speed 100
!
interface Ethernet0/5
speed 100
!
interface Ethernet0/6
speed 100
!
interface Ethernet0/7
speed 100
!
interface Vlan1
nameif inside
security-level 100
ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Vlan11
nameif Outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name nd.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit udp any host Xbox1 eq isakmp
access-list Outside_access_in extended permit udp any host Xbox1 eq 88
access-list Outside_access_in extended permit object-group TCPUDP any host Xbox1 eq 3074
access-list Outside_access_in extended permit object-group TCPUDP any host Xbox1 eq domain
access-list Outside_access_in extended permit tcp any host Xbox1 eq www
access-list Outside_access_in extended permit udp any host Xbox1 eq 3544
access-list Outside_access_in extended permit udp any host Xbox1 eq 4500
pager lines 24
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) udp interface isakmp Xbox1 isakmp netmask 255.255.255.255
static (inside,Outside) udp interface 88 Xbox1 88 netmask 255.255.255.255
static (inside,Outside) tcp interface 3074 Xbox1 3074 netmask 255.255.255.255
static (inside,Outside) udp interface 3074 Xbox1 3074 netmask 255.255.255.255
static (inside,Outside) tcp interface domain Xbox1 domain netmask 255.255.255.255
static (inside,Outside) udp interface domain Xbox1 domain netmask 255.255.255.255
static (inside,Outside) tcp interface www Xbox1 www netmask 255.255.255.255
static (inside,Outside) udp interface 3544 Xbox1 3544 netmask 255.255.255.255
static (inside,Outside) udp interface 4500 Xbox1 4500 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http XXX.XXX.XX.XX 255.255.255.255 inside
http XXX.XXX.XX.XX 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:36b0759fec664b1a3323dcfc1e968d89
: end

Here's the Interfaces on the ASA 5505:

Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
13914825 packets input, 15692491670 bytes, 0 no buffer
Received 1775589 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
104840 switch ingress policy drops
5194165 packets output, 617637394 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/1 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/3 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
5913814 packets input, 777750420 bytes, 0 no buffer
Received 473595 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
14889 switch ingress policy drops
12050570 packets output, 15565319160 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address XXXX, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

I apologize for the huge post but I'm trying to be thorough in hopes that someone out there can help me out.

Thank you all for reading.

topic ASA 5505 Slow Internet/Strict Nat/Settings in Network Security

ASA 5505 Slow Internet/Strict Nat/Settings