topic Re: delayed http lookups on 5505 in Network Security

delayed http lookups on 5505

wizumwalt — Mon, 11 Mar 2019 12:37:25 GMT

Hi,

I have recently replaced a netgear firewall for an ASA5505. Below is my

config. My problem is that when I browse the web from my linux box,

anytime I hit a new site, it seems to take about 30 seconds to a minute

to do the lookup before I can actually get to the site. The DNS entries are

correct, so I don't really know why else it takes so long.

Anyone have ideas?

# sh run

: Saved

ASA Version 7.2(3)

hostname myhomenet

domain-name network.local

enable password xxx

names

name 192.168.1.0 INSIDE

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd xxx

banner motd

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 73.x.x.205

name-server 68.x.x.98

domain-name network.local

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http INSIDE 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.11 255.255.255.255 inside

telnet timeout 10

ssh INSIDE 255.255.255.0 inside

ssh timeout 10

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.20-192.168.1.40 inside

dhcpd enable inside

username winky password xxx

encrypted privilege 15

prompt hostname context

Cryptochecksum:xxx

: end

Re: delayed http lookups on 5505

rjrii — Mon, 28 Apr 2008 13:53:03 GMT

What happens if you use an IP address rather than a URL in the web browser?

Re: delayed http lookups on 5505

wizumwalt — Tue, 29 Apr 2008 02:43:58 GMT

It's hard for me to say. When I put in the domain name, it always takes a while, but it seems 1 out of 5 tries using the ip address will load pretty quickly.

But for the most part, it takes just as long whether it's w/ a domain name or ip address.

Re: delayed http lookups on 5505

stlieser — Tue, 29 Apr 2008 06:50:40 GMT

Hi,

try:

dns domain-lookup outside

no dns domain-lookup inside

tcp-map MYTCPMAP

exceed-mss allow

class-map global-class

match any

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

no inspect http

inspect dns preset_dns_map

class global-class

set connection advanced-options MYTCPMAP

Re: delayed http lookups on 5505

wizumwalt — Wed, 30 Apr 2008 01:21:20 GMT

Well, I tried entering these commands and ran up against the following errors ...

winky(config)# dns domain-lookup outside

winky(config)# no dns domain-lookup inside

winky(config)# tcp-map MYTCPMAP

winky(config-tcp-map)# exceed-mss allow

winky(config-tcp-map)# class-map global-class

winky(config-cmap)# match any

winky(config-cmap)# policy-map type inspect dns preset_dns_map

winky(config-pmap)# parameters

winky(config-pmap-p)# message-length maximum 2048

winky(config-pmap-p)# policy-map global_policy

winky(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

winky(config-pmap)# no inspect http

ERROR: % Invalid input detected at '^' marker.

Re: delayed http lookups on 5505

stlieser — Tue, 06 May 2008 07:51:14 GMT

Hi,

thats the name of the Default Inspection on your ASA. Its a name. Prove your name with "sh run".

In old PIX Version was the command "inspect...".

kind Regards

Ralf