cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
364
Views
0
Helpful
6
Replies

Slowness problem sending traffic through CX module

burleyman
Level 8
Level 8

People in the remote site access a SharePoint site via HTTP with Internet Explorer and open Microsoft documents. When I configure the ASA to send HTTP traffic through the CX module it slows opening documents to a crawl (Over 5 minutes to open) but everything else works fine. When I don’t send traffic through the CX module the documents open quickly (seconds) with no issue. So what I need to do is HTTP traffic going to and from the remote site needs to bypass the CX module or set it up so only HTTP traffic coming from the main site and site A going only to the internet goes through the CX module. How can I set this up to accomplish this?

 

I have attached a topology diagram.

1 Accepted Solution

Accepted Solutions

Try and avoid any as the source. For example if you had some webservers that you hosted through this firewall, all TCP80 traffic destined to those servers would also be inspected! Yikes!

How about something like-

object-group Internal_Networks
 network [main site]
 network [site A]

access-list CX_BYPASS ext permit tcp object-group Internal_Networks any eq 80

 

 

View solution in original post

6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

What does your ACL that sends traffic to the CX look like? Can you exclude the sharepoint server(s)?

That is what I needed help with but here is what I was thinking.

 

! Create needed groups

object-group network CX-BYPASS-SITE2SITE
net 192.168.170.0 255.255.255.0


! from CX-BYPASS-SITE2SITE to ANY via HTTP - bypass
access-list CX_BYPASS deny tcp object-group CX-BYPASS-SITE2SITE any eq 80

! from any to CX-BYPASS-SITE2SITE via HTTP - bypass
access-list CX_BYPASS deny tcp any object-group CX-BYPASS-SITE2SITE eq 80

! CX inspects everything else
access-list CX_BYPASS permit ip any any

! Config traffic through the CX

class-map CX_REDIRECT
no match any
match access-list CX_BYPASS

policy-map global_policy
class CX_REDIRECT
cxsc fail-open

 

 

But I really only want to send HTTP traffic through the CX from the Main site and Site A to the internet, but this...

! CX inspects everything else
access-list CX_BYPASS permit ip any any

 

would send everything. How can I change that to just send HTTP traffic?

! CX inspects just HTTP traffic
access-list CX_BYPASS permit tcp any any eq 80

Would that would?

 

Mike

Try and avoid any as the source. For example if you had some webservers that you hosted through this firewall, all TCP80 traffic destined to those servers would also be inspected! Yikes!

How about something like-

object-group Internal_Networks
 network [main site]
 network [site A]

access-list CX_BYPASS ext permit tcp object-group Internal_Networks any eq 80

 

 

Ahhh, yes did not think of that.

 

Thank you for your help. I will post if this helps the slowness.

 

Mike

Thanks Collin for your help. This worked perfectly.

 

Thanks,

Mike

Sweet! Thanks for letting us know Mike.

Review Cisco Networking for a $25 gift card