09-14-2012 03:43 PM - edited 03-11-2019 04:54 PM
I just setup an asa5505, the isp give me 10MBPS.
When I do a internet speed test before apply a IM inspect class map, I got 8MB aprox.
after setup the IM inspection, the speed is reduced drastically to 2MBPS.
The ASA5505 has 1mb of ram, the cpu never pass the 10% and the memory in use is only 299MB.
The number of connection is low.
Its is ok?. may be an error in the configuration?
09-14-2012 04:30 PM
Hello Rafael,
Please share the
show service-policy (with the IM inspection on)
Show running-configuration
We might need to take some captures.
Julio
09-17-2012 08:41 AM
Right now I take out the IM inspection rules.
When I want add the im ispection rule, I just add the rule in the service Policy Rules. I tested add this in the class-default or inspection default.
The configuration screens are the following:
09-17-2012 09:06 AM
Hello Rafael,
I need the comands I sent you before.
09-17-2012 09:22 AM
this the config with the inspection enabled:
: Saved
: Written by enable_15 at 18:11:50.359 COST Sun Sep 2 2012
!
ASA Version 8.4(4)1
!
hostname ASA5505
names
!
interface Ethernet0/0
switchport access vlan 190
!
interface Ethernet0/1
switchport access vlan 200
!
interface Ethernet0/2
switchport access vlan 201
!
interface Ethernet0/3
description DVR-HOST
switchport access vlan 111
!
interface Ethernet0/4
switchport access vlan 172
!
interface Ethernet0/5
switchport trunk allowed vlan 11,111,172,190,200-201
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 172
!
interface Ethernet0/7
switchport access vlan 172
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan111
description DMZ for Servers
nameif dmz
security-level 50
ip address 192.168.111.1 255.255.255.0
!
interface Vlan172
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan190
description Telmex ISP
nameif isp1
security-level 0
ip address xxx.xxx.134.64 255.255.255.0
!
interface Vlan200
description UNE ISP
nameif isp2
security-level 0
ip address yyy.yyy.11.57 255.255.255.0
!
interface Vlan201
description Metrotel ISP
nameif isp3
security-level 0
ip address zzz.zzz.121.202 255.255.255.0
!
ftp mode passive
clock timezone COST -5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PCoIP-host
host 192.168.111.61
description PCoIP Host
object network web-mail-host
host 192.168.111.215
description Web and Mail Host
object network smtp-host
host 192.168.111.216
object network www-host
host 192.168.111.216
object network pop3s-host
host 192.168.111.216
object network dns-tcp-host
host 192.168.111.216
object network dns-udp-host
host 192.168.111.216
object network dvr-host
host 192.168.111.202
object network dmz-network
subnet 192.168.111.0 255.255.255.0
description DMZ
object network isp1-network
subnet xxx.xxx.134.0 255.255.255.0
description Telmex Network
object network vpn-network
range 10.47.75.50 10.47.75.69
description vpn
object network inside-isp1-network
subnet 172.16.1.0 255.255.255.0
object network inside-isp2-network
subnet 172.16.1.0 255.255.255.0
object network 10.10.10-isp1-network
subnet 10.10.10.0 255.255.255.0
object network 10.10.10-isp2-network
subnet 10.10.10.0 255.255.255.0
object network 192.168.10-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.10-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.50-isp1-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.50-isp2-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.100-isp1-network
subnet 192.168.100.0 255.255.255.0
object network 192.168.100-isp2-network
subnet 192.168.100.0 255.255.255.0
object-group protocol tcp-udp
protocol-object tcp
protocol-object udp
object-group protocol tcp-udp-icmp
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group service web-mail-services tcp-udp
port-object eq domain
port-object eq www
port-object eq 995
port-object eq 443
port-object eq 8080
object-group service vmware-view-services tcp-udp
port-object eq 4172
port-object eq 3389
port-object eq 22
access-list isp1-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp1-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp2-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp2-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp3-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp3-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list Split-Tunneling standard permit 192.168.111.0 255.255.255.0
access-list Split-Tunneling standard permit host xxx.xxx.134.215
pager lines 40
logging enable
logging asdm informational
mtu dmz 1500
mtu inside 1500
mtu isp1 1500
mtu isp2 1500
mtu isp3 1500
ip local pool vpnpool 10.47.75.50-10.47.75.69 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network PCoIP-host
nat (dmz,isp1) static xxx.xxx.134.61
object network helpdesk-host
nat (dmz,isp1) static xxx.xxx.134.48
object network web-mail-host
nat (dmz,isp1) static xxx.xxx.134.214
object network smtp-host
nat (dmz,isp2) static interface service tcp smtp smtp
object network www-host
nat (dmz,isp2) static interface service tcp www www
object network pop3s-host
nat (dmz,isp2) static interface service tcp 995 995
object network dns-tcp-host
nat (dmz,isp2) static interface service tcp domain domain
object network dns-udp-host
nat (dmz,isp2) static interface service udp domain domain
object network dvr-host
nat (dmz,isp3) static interface service tcp www 8080
object network dmz-network
nat (dmz,isp1) dynamic interface
object network vpn-network
nat (inside,isp1) dynamic interface
object network inside-isp1-network
nat (inside,isp1) dynamic interface
object network inside-isp2-network
nat (inside,isp2) dynamic interface
object network 10.10.10-isp1-network
nat (inside,isp1) dynamic interface
object network 10.10.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.10-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.15-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.15-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.50-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.50-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.100-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.100-isp2-network
nat (inside,isp2) dynamic interface
access-group isp1-in in interface isp1
access-group isp2-in in interface isp2
access-group isp3-in in interface isp3
route isp1 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1 track 1
route isp2 0.0.0.0 0.0.0.0 200.55.66.70 254
route inside 10.10.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.15.0 255.255.255.0 172.16.1.254 1
route inside 192.168.50.0 255.255.255.0 172.16.1.254 1
route inside 192.168.100.0 255.255.255.0 172.16.1.254 1
route isp2 yyy.yyy.224.254 255.255.255.255 yyy.yyy.11.1 1
route isp2 yyy.yyy.249.101 255.255.255.255 yyy.yyy.11.1 1
route isp1 xxx.xxx.2.66 255.255.255.255 xxx.xxx.134.1 1
route isp1 xxx.xxx.2.85 255.255.255.255 xxx.xxx.134.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho xxx.xxx.134.1 interface isp1
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 172.16.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 5
dhcpd address 172.16.1.50-172.16.1.54 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
webvpn
enable isp1
enable isp2
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyCon internal
group-policy GroupPolicy_AnyCon attributes
dns-server value 192.168.10.101
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none
webvpn
anyconnect keep-installer none
group-policy VPNClient internal
group-policy VPNClient attributes
wins-server value 192.168.10.101
dns-server value 192.168.10.101
vpn-tunnel-protocol ikev1
default-domain value fffffffff
username user1 password .vQx4rek encrypted privilege 15
tunnel-group AnyCon type remote-access
tunnel-group AnyCon general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_AnyCon
........
!
class-map type inspect im match-any MSN
description MSN y Yahoo
match protocol msn-im yahoo-im
match service chat file-transfer games voice-chat webcam
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im MSN
description MSN y Yahoo
parameters
class MSN
reset
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect im MSN
class class-default
user-statistics accounting
inspect im MSN
!
service-policy global_policy global
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
contact-email-addr gggggggggg
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
09-17-2012 09:29 AM
Hello Rafael,
show service-policy
09-17-2012 09:59 AM
I did a test with diferent configs, with the same results:
the class MSN
class-map type inspect im match-any MSN
description MSN
match protocol msn-im
!
!
I added the following config:
!ASA
!Single Routed
!17-Sep-12_16.43.41
!Preview CLI Commands
policy-map global_policy
class class-default
inspect im MSN
after that:
interlinkfw# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 9302, drop 5, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 45288, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 161, drop 0, reset-drop 0
Inspect: tftp, packet 10, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Class-map: class-default
Default Queueing Packet recieved 0, sent 0, attack 0
Inspect: im MSN, packet 283, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface inside:
Service-policy: http-https-traffic
Class-map: voip-rtp
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
Class-map: class-default
============================================
============================================
============================================
Then test the same thing with a inspection rule:
!ASA
!Single Routed
!17-Sep-12_16.46.08
!Preview CLI Commands
policy-map global_policy
class inspection_default
inspect im MSN
interlinkfw# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 9366, drop 5, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 45512, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 161, drop 0, reset-drop 0
Inspect: tftp, packet 12, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: im MSN, packet 243, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Class-map: class-default
Default Queueing Packet recieved 0, sent 0, attack 0
Interface inside:
Service-policy: http-https-traffic
Class-map: voip-rtp
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
Class-map: class-default
09-17-2012 10:18 AM
Hello Rafael,
Let's do the following:
policy-map global_policy
no class class-default
So we are just going to leave one IM inspection.
Should look like this:
policy-map type inspect im MSN
description MSN y Yahoo
parameters
class MSN
reset
class-map type inspect im match-any MSN
description MSN y Yahoo
match protocol msn-im yahoo-im
match service chat file-transfer games voice-chat webcam
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect im MSN
Then do a clear local-host and check the speed test....
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide