cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

678
Views
0
Helpful
7
Replies
Highlighted
Enthusiast

Bandwidth decrease in the inside network.

I just setup an asa5505, the isp give me 10MBPS.

When I do a internet speed test before apply a IM inspect class map, I got 8MB aprox.

after setup the IM inspection, the speed is reduced drastically to 2MBPS.

The ASA5505 has 1mb of ram, the cpu never pass the 10% and the memory in use is only 299MB.

The number of connection is low.

Its is ok?. may be an error in the configuration?

7 REPLIES 7
Highlighted

Hello Rafael,

Please share the

show service-policy (with the IM inspection on)

Show running-configuration

We might need to take some captures.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Right now I take out the IM inspection rules.

When I want add the im ispection rule, I just add the rule in the service Policy Rules. I tested add this in the class-default or inspection default.

The configuration screens are the following:

Highlighted

Hello Rafael,

I need the comands I sent you before.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

this the config with the inspection enabled:

: Saved
: Written by enable_15 at 18:11:50.359 COST Sun Sep 2 2012
!
ASA Version 8.4(4)1
!
hostname ASA5505
names
!
interface Ethernet0/0
switchport access vlan 190
!
interface Ethernet0/1
switchport access vlan 200
!
interface Ethernet0/2
switchport access vlan 201
!
interface Ethernet0/3
description DVR-HOST
switchport access vlan 111
!
interface Ethernet0/4
switchport access vlan 172
!
interface Ethernet0/5
switchport trunk allowed vlan 11,111,172,190,200-201
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 172
!
interface Ethernet0/7
switchport access vlan 172
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan111
description DMZ for Servers
nameif dmz
security-level 50
ip address 192.168.111.1 255.255.255.0
!
interface Vlan172
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan190
description Telmex ISP
nameif isp1
security-level 0
ip address xxx.xxx.134.64 255.255.255.0
!
interface Vlan200
description UNE ISP
nameif isp2
security-level 0
ip address yyy.yyy.11.57 255.255.255.0
!
interface Vlan201
description Metrotel ISP
nameif isp3
security-level 0
ip address zzz.zzz.121.202 255.255.255.0
!
ftp mode passive
clock timezone COST -5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PCoIP-host
host 192.168.111.61
description PCoIP Host
object network web-mail-host
host 192.168.111.215
description Web and Mail Host
object network smtp-host
host 192.168.111.216
object network www-host
host 192.168.111.216
object network pop3s-host
host 192.168.111.216
object network dns-tcp-host
host 192.168.111.216
object network dns-udp-host
host 192.168.111.216
object network dvr-host
host 192.168.111.202
object network dmz-network
subnet 192.168.111.0 255.255.255.0
description DMZ
object network isp1-network
subnet xxx.xxx.134.0 255.255.255.0
description Telmex Network
object network vpn-network
range 10.47.75.50 10.47.75.69
description vpn
object network inside-isp1-network
subnet 172.16.1.0 255.255.255.0
object network inside-isp2-network
subnet 172.16.1.0 255.255.255.0
object network 10.10.10-isp1-network
subnet 10.10.10.0 255.255.255.0
object network 10.10.10-isp2-network
subnet 10.10.10.0 255.255.255.0
object network 192.168.10-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.10-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.50-isp1-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.50-isp2-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.100-isp1-network
subnet 192.168.100.0 255.255.255.0
object network 192.168.100-isp2-network
subnet 192.168.100.0 255.255.255.0
object-group protocol tcp-udp
protocol-object tcp
protocol-object udp
object-group protocol tcp-udp-icmp
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group service web-mail-services tcp-udp
port-object eq domain
port-object eq www
port-object eq 995
port-object eq 443
port-object eq 8080
object-group service vmware-view-services tcp-udp
port-object eq 4172
port-object eq 3389
port-object eq 22
access-list isp1-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp1-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp2-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp2-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp3-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp3-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list Split-Tunneling standard permit 192.168.111.0 255.255.255.0
access-list Split-Tunneling standard permit host xxx.xxx.134.215
pager lines 40
logging enable
logging asdm informational
mtu dmz 1500
mtu inside 1500
mtu isp1 1500
mtu isp2 1500
mtu isp3 1500
ip local pool vpnpool 10.47.75.50-10.47.75.69 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network PCoIP-host
nat (dmz,isp1) static xxx.xxx.134.61
object network helpdesk-host
nat (dmz,isp1) static xxx.xxx.134.48
object network web-mail-host
nat (dmz,isp1) static xxx.xxx.134.214
object network smtp-host
nat (dmz,isp2) static interface service tcp smtp smtp
object network www-host
nat (dmz,isp2) static interface service tcp www www
object network pop3s-host
nat (dmz,isp2) static interface service tcp 995 995
object network dns-tcp-host
nat (dmz,isp2) static interface service tcp domain domain
object network dns-udp-host
nat (dmz,isp2) static interface service udp domain domain
object network dvr-host
nat (dmz,isp3) static interface service tcp www 8080
object network dmz-network
nat (dmz,isp1) dynamic interface
object network vpn-network
nat (inside,isp1) dynamic interface
object network inside-isp1-network
nat (inside,isp1) dynamic interface
object network inside-isp2-network
nat (inside,isp2) dynamic interface
object network 10.10.10-isp1-network
nat (inside,isp1) dynamic interface
object network 10.10.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.10-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.15-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.15-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.50-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.50-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.100-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.100-isp2-network
nat (inside,isp2) dynamic interface
access-group isp1-in in interface isp1
access-group isp2-in in interface isp2
access-group isp3-in in interface isp3
route isp1 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1 track 1
route isp2 0.0.0.0 0.0.0.0 200.55.66.70 254
route inside 10.10.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.15.0 255.255.255.0 172.16.1.254 1
route inside 192.168.50.0 255.255.255.0 172.16.1.254 1
route inside 192.168.100.0 255.255.255.0 172.16.1.254 1
route isp2 yyy.yyy.224.254 255.255.255.255 yyy.yyy.11.1 1
route isp2 yyy.yyy.249.101 255.255.255.255 yyy.yyy.11.1 1
route isp1 xxx.xxx.2.66 255.255.255.255 xxx.xxx.134.1 1
route isp1 xxx.xxx.2.85 255.255.255.255 xxx.xxx.134.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho xxx.xxx.134.1 interface isp1
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 172.16.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 5

dhcpd address 172.16.1.50-172.16.1.54 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
webvpn
enable isp1
enable isp2
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyCon internal
group-policy GroupPolicy_AnyCon attributes
dns-server value 192.168.10.101
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none
webvpn
  anyconnect keep-installer none
group-policy VPNClient internal
group-policy VPNClient attributes
wins-server value 192.168.10.101
dns-server value 192.168.10.101
vpn-tunnel-protocol ikev1
default-domain value fffffffff
username user1 password .vQx4rek encrypted privilege 15
tunnel-group AnyCon type remote-access
tunnel-group AnyCon general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_AnyCon
........
!
class-map type inspect im match-any MSN
description MSN y Yahoo
match protocol msn-im yahoo-im
match service chat file-transfer games voice-chat webcam
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect im MSN
description MSN y Yahoo
parameters
class MSN
  reset
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect im MSN
class class-default
  user-statistics accounting
  inspect im MSN
!
service-policy global_policy global
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
contact-email-addr gggggggggg
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Highlighted

Hello Rafael,

show service-policy

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

I did a test with diferent configs, with the same results:

the class MSN

class-map type inspect im match-any MSN

description MSN

match protocol msn-im

!

!

I added the following config:
!ASA
!Single Routed
!17-Sep-12_16.43.41
!Preview CLI Commands 

policy-map global_policy
  class class-default
    inspect im MSN


after that:

interlinkfw# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 9302, drop 5, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 45288, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 161, drop 0, reset-drop 0
      Inspect: tftp, packet 10, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
    Class-map: class-default

      Default Queueing  Packet recieved 0, sent 0, attack 0
      Inspect: im MSN, packet 283, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface inside:
  Service-policy: http-https-traffic
    Class-map: voip-rtp
      Priority:
        Interface inside: aggregate drop 0, aggregate transmit 0
    Class-map: class-default
============================================
============================================
============================================
Then test the same thing with a inspection rule:
!ASA
!Single Routed
!17-Sep-12_16.46.08
!Preview CLI Commands 

policy-map global_policy
  class inspection_default
    inspect im MSN

interlinkfw# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 9366, drop 5, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 45512, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 161, drop 0, reset-drop 0
      Inspect: tftp, packet 12, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: im MSN, packet 243, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
    Class-map: class-default

      Default Queueing  Packet recieved 0, sent 0, attack 0

Interface inside:
  Service-policy: http-https-traffic
    Class-map: voip-rtp
      Priority:
        Interface inside: aggregate drop 0, aggregate transmit 0
    Class-map: class-default

Highlighted

Hello Rafael,

Let's do the following:

policy-map global_policy

no class class-default

So we are just going to leave one IM inspection.

Should look like this:

policy-map type inspect im MSN

description MSN y Yahoo

parameters

class MSN

  reset

class-map type inspect im match-any MSN

description MSN y Yahoo

match protocol msn-im yahoo-im

match service chat file-transfer games voice-chat webcam

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect im MSN

Then do a clear local-host and check the speed test....

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad