Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
2
Replies

DMZ Slowness in ASA firewall

wasiimcisco
Level 1
Level 1

‎02-14-2010 07:33 AM - edited ‎03-11-2019 10:09 AM

I have few servers connected in DMZ zone of my ASA Firewall. Earlier in the old setup there was no slowness. I did  migration and upgrade switches to Cisco C3560-IPBASE-M.

After this activity the users are started complaining in access the Oracle servers and SQL servers.

SQL Server is located in inside (192.168.200.56

Appliacation Server is located in DMZ (172.16..11.126).

interface GigabitEthernet0/3.1
mac-address 000c.f342.4abc standby 020c.f342.4abc
nameif serverdmz
security-level 90
ip address 172.16.11.1 255.255.255.0 standby 172.16.11.5

name 192.168.200.56 ENOCSQLCLUS

name 172.16.11.126 ENOCWEBS3

name 172.16.11.30 dmzsqlclus


static (inside,serverdmz) dmzsqlclus ENOCSQLCLUS netmask 255.255.255.255

access-list acl-serverdmz extended permit ip host ENOCWEBS3 any

access-list acl-serverdmz extended permit ip host 172.16.11.101 host dmzsqlclus
access-list acl-serverdmz extended permit ip host Enocwebs2 host dmzsqlclus

global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface

access-list aclnat_cards extended permit ip any 172.16.21.0 255.255.255.0
access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0
nat-control
nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 1 172.16.11.0 255.255.255.0

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect ftp
class class-default
  set connection decrement-ttl

Everything is fine, ping telnet, mstsc but only when Query the data it got stuck. It is taking too much time. There is bad slowness in this communication.

Please let me know what is wrong. The switches are connected with each over Trunk.

SERVERDMZSW01#sh run
SERVERDMZSW01#sh running-config inter
SERVERDMZSW01#sh running-config interface gi
SERVERDMZSW01#sh running-config interface gigabitEthernet 0/1
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/1
description Connected to *******DC-FIREWAL-01*******
switchport trunk encapsulation dot1q
switchport mode trunk
end

SERVERDMZSW01#sh run
SERVERDMZSW01#sh running-config inter
SERVERDMZSW01#sh running-config interface gi
SERVERDMZSW01#sh running-config interface gigabitEthernet 0/46
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/46
description ***** UPLINK TO DC-DMZ-SW01-0/46  (172.16.11.102) *****
switchport trunk encapsulation dot1q
switchport mode trunk
end

SERVERDMZSW01#sh running-config interface gigabitEthernet 0/47
Building configuration...

Current configuration : 37 bytes
!
interface GigabitEthernet0/47
end

SERVERDMZSW01#sh running-config interface gigabitEthernet 0/48
Building configuration...

Current configuration : 172 bytes
!
interface GigabitEthernet0/48
description ***** UPLINK TO DC-DMZ-PABX-SW02-0/48  (172.16.11.101) *****
switchport trunk encapsulation dot1q
switchport mode trunk
end

Same trunk configuration is there on Switch 2 and Switch 3. Servers are connected to Switch 3.

Please help me out why the network is slow in DMZ segment.

Labels:
0 Helpful
2 Replies 2

wasiimcisco
Level 1
Level 1

‎02-15-2010 10:25 AM

Hi,

Can anybody help me out.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎02-15-2010 01:34 PM

Since the server is being translated through the ASA, have you tried enabled sqlnet inspection?

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card