05-10-2010 05:33 PM - edited 03-11-2019 10:43 AM
I have a ASA5505 and two NAS is setup within the DMZ.
My laptop connects to the inside zone.
When I use my laptop to copy files from NAS1 (10.2.1.8) to NAS2 (10.2.1.9), is super slow~ I did set switchport protect for each of the interface in the DMZ.
Is there a way to make it quicker?
Here is my current config:
: Saved
:
ASA Version 8.3(1)
!
hostname xxx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan200
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan500
no forward interface Vlan800
nameif dmz
security-level 50
ip address 10.2.1.1 255.255.255.0
!
interface Vlan800
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 200
switchport protected
!
interface Ethernet0/1
switchport access vlan 500
switchport protected
!
interface Ethernet0/2
switchport access vlan 500
switchport protected
!
interface Ethernet0/3
switchport access vlan 500
switchport protected
!
interface Ethernet0/4
switchport access vlan 800
switchport protected
!
interface Ethernet0/5
switchport access vlan 800
switchport protected
!
interface Ethernet0/6
switchport access vlan 800
switchport protected
!
interface Ethernet0/7
switchport access vlan 800
switchport protected
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone xxxx
object network Internet_Access
subnet 0.0.0.0 0.0.0.0
object network Internet_Access2
subnet 0.0.0.0 0.0.0.0
object network laptop
host 192.168.1.8
object network SlingBoxHDPRO
host 10.2.1.10
object-group service SlingBox tcp
port-object eq 5001
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip host 192.168.1.8 any
access-list inside_access_in extended permit ip host 192.168.1.15 any
access-list inside_access_in extended deny ip any any
access-list dmz_access_in extended deny ip 10.2.1.0 255.5.255.255.0
access-list dmz_access_in extended permit ip host 10.2.1.10
access-list dmz_access_in extended permit ip host 10.2.1.9
access-list dmz_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list dmz_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network Internet_Access
nat (inside,outside) dynamic interface
object network Internet_Access2
nat (dmz,outside) dynamic interface
object network laptop
nat (inside,dmz) static 192.168.1.8
object network SlingBoxHDPRO
nat (dmz,inside) static 192.168.1.14
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_ipv6_in in interface dmz
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icm
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 abso
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup link
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 460
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.1.8-10.2.1.12 dmz
dhcpd dns [DNS1] [DNS2] interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.8-192.168.1.15 inside
dhcpd dns [DNS1] [DNS2] interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxxx password xxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/sCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthl
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxx
: end
05-10-2010 05:57 PM
Hi,
Things to check:
Is the ASA with good overal performance? In good health?
Check this with:
sh cpu usage
sh memory
Do you get slowliness with other traffic as well, or just with these transfers?
What about a PING from source to destination, do you get a good RTT?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide