Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1750
Views
0
Helpful
2
Replies

Slow Upload Speeds to Internet Via Cisco ASA5510

camplingm
Level 1
Level 1

‎01-01-2011 03:31 PM - edited ‎03-11-2019 12:29 PM

We have recently deployed a new Cisco ASA5510, which is connected to a Juniper J2320 (Outside) (ISP Router), the inside interface is connected to a Cisco 3750 Switch (100/Full). We have a sub interface called "ServerVLAN" Our Switches and ASA are set to 100/FULL.

The results of a sh int | error

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 output errors, 0 collisions, 0 interface resets
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 output errors, 0 collisions, 0 interface resets
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 output errors, 0 collisions, 0 interface resets
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 output errors, 0 collisions, 0 interface resets
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 output errors, 0 collisions, 0 interface resets

The connection via Virgin Media is 100mbps, from one of our servers (1000/FULL) into 3750 stack, we get 30-40mbps down, and 3-4mbps up.

Config Below. We have no modules in the ASA.

Please can anyone help?

ASA Version 8.2(1)
!
name 10.0.0.0 private10
name 192.168.0.0 private192
name 10.10.0.0 PSL-OFFICE-READING-LAN description PSL-OFFICE-READING-LAN
name 10.3.2.1 CORE01-3750 description Cisco 3750 Stack.
name 109.204.118.253 CORE01-3750-PUB description Core Switch Public Address
name 10.3.2.3 PSL-Gordon description Exchange Server
name 109.204.118.254 outside-Int-IP
name 10.3.10.254 PSL-MITEL3300 description Mitel 3300 Switch
name 109.204.118.10 PSL-Gordon-PUB
name 109.204.118.1 JUNIPER-J2320 description default router
name 10.3.20.0 VLAN20 description VLAN20
name 10.3.30.0 VLAN30 description VLAN30
name 10.3.40.0 VLAN40 description NO Access VLAN
name 10.3.2.5 PSL-VM118 description PSL VMWare Server (118)
name 109.204.118.12 PSL-VM118-PUB description Public Address on VMWare Server
name 10.3.5.0 VLAN-CCTV description Axis CCTV VLAN
name 10.3.2.0 VLAN-SERVERS
name 10.3.3.0 VLAN-WIRELESS description Wireless VLAN
name 10.3.10.0 VLAN-VOICE
name 10.3.2.201 PSL-UPS1
name 10.3.2.202 PSL-UPS2
dns-guard
!
interface Ethernet0/0
description Public Interface connected to Internet via ISP router
speed 100
duplex full
nameif outside
security-level 0
ip address outside-Int-IP 255.255.255.128
!
interface Ethernet0/1
description Inside Interface connected to 3750 switch stack
speed 100
duplex full
nameif inside
security-level 100
no ip address
!
interface Ethernet0/1.2
description Server Vlan
vlan 2
nameif ServerVlan
security-level 100
ip address 10.3.2.254 255.255.255.0
!
interface Ethernet0/2
description NOT IN USE
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description NOT IN USE
shutdown
no nameif
no security-level
no ip address
!            
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup ServerVlan
dns server-group DefaultDNS
name-server 85.189.102.5
name-server 85.189.39.5
object-group network privateip
network-object private10 255.0.0.0
network-object private192 255.255.0.0
network-object 172.16.0.0 255.240.0.0
object-group network Servers-Local
description Local Penwood Servers
network-object host PSL-Gordon
object-group network PSL-SupportTeam
description Penwood support Team
network-object host PSL-OFFICE-HEADCORN
network-object host PSL-OFFICE-READING
network-object host NTL-Virgin-Lab
network-object host PSL-OFFICE-DARTON
object-group network VPN-HOME-VLANS
description VPN VLANS to Tunnel Home
network-object VLAN-VOICE 255.255.255.0
network-object VLAN-SERVERS 255.255.255.0
object-group network Node4-SIP-Set
description Node4-SIP-Set
network-object host Node4-SIP-Signalling
network-object host Node4-SIP-Media
access-list outside_access_in remark allow ping on outside interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp object-group PSL-SupportTeam host CORE01-3750-PUB eq telnet
access-list outside_access_in extended permit tcp object-group PSL-SupportTeam host CORE01-3750-PUB eq www
access-list outside_access_in extended permit tcp object-group PSL-SupportTeam host CORE01-3750-PUB eq https
access-list outside_access_in extended permit tcp any host PSL-VM118-PUB eq 3389
access-list outside_access_in extended permit tcp any host PSL-VM118-PUB eq 5900
access-list outside_access_in extended permit tcp any host PSL-Gordon-PUB eq 5900
access-list outside_access_in extended permit tcp any host PSL-Gordon-PUB eq www
access-list outside_access_in extended permit tcp any host PSL-Gordon-PUB eq https
access-list outside_access_in extended permit tcp any host PSL-Gordon-PUB eq 3389
access-list outside_access_in extended permit tcp any host PSL-Gordon-PUB eq smtp
access-list outside_1_cryptomap extended permit ip object-group VPN-HOME-VLANS PSL-OFFICE-READING-LAN 255.255.0.0
access-list ServerVlan_mpc extended permit ip VLAN20 255.255.255.0 any inactive
access-list ServerVlan_mpc extended permit ip any VLAN20 255.255.255.0 inactive
access-list ServerVlan_access_in remark Stop VLAN40 getting Internet Access
access-list ServerVlan_access_in extended deny ip VLAN40 255.255.255.0 any
access-list ServerVlan_access_in extended permit udp any any eq sip
access-list ServerVlan_access_in extended permit tcp any any eq sip
access-list ServerVlan_access_in extended permit tcp any any eq www
access-list ServerVlan_access_in extended permit ip any any
access-list ServerVlan_nat_static_19 extended permit ip host PSL-Gordon any
access-list ServerVlan_nat_static extended permit ip host PSL-VM118 any
access-list ServerVlan_nat0_outbound extended permit ip object-group VPN-HOME-VLANS PSL-OFFICE-READING-LAN 255.255.0.0
access-list ServerVlan_nat0_outbound extended permit ip any 10.3.2.128 255.255.255.248
access-list ServerVlan_nat_static_54 extended permit tcp host CORE01-3750 eq telnet any
access-list ServerVlan_mpc_23 extended permit ip VLAN-VOICE 255.255.255.0 any inactive
access-list ServerVlan_mpc_23 extended permit ip any VLAN-VOICE 255.255.255.0 inactive
access-list ServerVlan_mpc_1 extended permit ip VLAN30 255.255.255.0 any inactive
access-list ServerVlan_mpc_1 extended permit ip any VLAN30 255.255.255.0 inactive
pager lines 24
logging enable
logging buffer-size 8096
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ServerVlan 1500
mtu management 1500
ip local pool support 10.2.2.128-10.2.2.132 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any ServerVlan
asdm image disk0:/asdm-621.bin
asdm history enable
arp outside 192.168.21.10 0010.0101.1010
arp timeout 14400
global (outside) 1 interface
nat (ServerVlan) 0 access-list ServerVlan_nat0_outbound
nat (ServerVlan) 1 0.0.0.0 0.0.0.0
static (ServerVlan,outside) tcp CORE01-3750-PUB telnet access-list ServerVlan_nat_static_54
static (ServerVlan,outside) PSL-Gordon-PUB  access-list ServerVlan_nat_static_19
static (ServerVlan,outside) PSL-VM118-PUB  access-list ServerVlan_nat_static
access-group outside_access_in in interface outside
access-group ServerVlan_access_in in interface ServerVlan
route outside 0.0.0.0 0.0.0.0 JUNIPER-J2320 1
route ServerVlan 10.3.0.0 255.255.0.0 CORE01-3750 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http PSL-OFFICE-READING 255.255.255.255 outside
http PSL-OFFICE-HEADCORN 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 management
http PSL-OFFICE-DARTON 255.255.255.255 outside
http VLAN-SERVERS 255.255.255.240 ServerVlan
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer PSL-OFFICE-READING
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2     
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet VLAN-SERVERS 255.255.255.0 ServerVlan
telnet timeout 5
ssh PSL-OFFICE-HEADCORN 255.255.255.255 outside
ssh PSL-OFFICE-READING 255.255.255.255 outside
ssh VLAN-SERVERS 255.255.255.240 ServerVlan
ssh timeout 5
console timeout 0
management-access ServerVlan
dhcprelay server CORE01-3750 ServerVlan
dhcprelay timeout 60
priority-queue outside
priority-queue inside
  tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 78.47.136.197 source outside
webvpn
group-policy penwood internal
group-policy penwood attributes
dns-server value 10.1.2.3 10.1.2.4
vpn-tunnel-protocol IPSec
group-policy support internal
group-policy support attributes
dns-server value 10.1.2.3 10.1.2.4
vpn-tunnel-protocol IPSec
vpn-group-policy support
tunnel-group support type remote-access
tunnel-group support general-attributes
address-pool support
default-group-policy support
tunnel-group support ipsec-attributes
pre-shared-key *
tunnel-group penwood type remote-access
tunnel-group penwood general-attributes
address-pool support
default-group-policy penwood
tunnel-group penwood ipsec-attributes
pre-shared-key *
tunnel-group VPN-To-Home type ipsec-l2l
tunnel-group VPN-To-Home ipsec-attributes
pre-shared-key *
tunnel-group VPN-To-PSL type ipsec-l2l
tunnel-group VPN-To-PSL ipsec-attributes
pre-shared-key *
tunnel-group 217.46.179.105 type ipsec-l2l
tunnel-group 217.46.179.105 ipsec-attributes
pre-shared-key *
!
class-map ServerVlan-VLAN-Voice
description ServerVlan-VLAN-Voice
match access-list ServerVlan_mpc_23
class-map vlan20-class1
match rtp 2000 4000
class-map inspection_default
match default-inspection-traffic
class-map ServerVlan-VLAN20
match access-list ServerVlan_mpc
class-map ServerVlan-VLAN30
description ServerVlan-VLAN30
match access-list ServerVlan_mpc_1
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect ftp
policy-map ServerVlan-Policy
description Server VLAN Policy
class ServerVlan-VLAN-Voice
  priority
class ServerVlan-VLAN20
  police input 3000000 1500
  police output 3000000 1500
class ServerVlan-VLAN30
  police input 10000000 5000
  police output 10000000 5000
policy-map vlan20-policy
class vlan20-class1
  priority
!
service-policy global_policy global
service-policy ServerVlan-Policy interface ServerVlan
smtp-server 10.3.2.3

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎01-01-2011 05:59 PM

What is the IP address of this server?

You have policing configured for that server vlan but, the acl matching the class for throttling is inactive.

See if you can remove this line from the config and test it. You can put it back when done.

conf t

no service-policy ServerVlan-Policy interface ServerVlan

Alternatively you can try to do this.

Configure one of the un-used interfaces like this one

interface Ethernet0/2
description NOT IN USE
shutdown
no nameif
no security-level
no ip address

and connect a laptop on this port. Get filezilla server on this laptop. Install filezilla client on the server and on another PC on a dif. interface and try to upload files to the laptop on this new interface e0/2. Post your results.

-KS

0 Helpful

camplingm
Level 1
Level 1
In response to Kureli Sankar

‎01-02-2011 09:37 AM

Hi,

the IP Address of the server is 10.3.2.3 (Gordon).

We had removed the service policy for the ServerVLan, and it tested the same. (Slow) I am not near the ASA, so would need to visit to test another interface.

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 498, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 1968, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: pptp, packet 0, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

Regards

Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card