We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.
As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many differents options and I didn't find anything yet, so I hope that you guys can help me with that problem.
All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.
A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.
The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.
All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.
Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
priv-pub-pmap to pub-priv-pmap.
I hope everything is clear, if not please ask for more information.
Thanks for all your help and time.
Would you please specify a source and destination IP address? From which zone to which zone are you going from/to? If both hosts are on the same zone, the Zone based mostlikely wont have any effect on the Traffic whatsoever, have you tried disabling just the http inspection and leave it with just the normal TCP inspection?
Let me know.
A source IP would be something like 10.60.10.44 to 10.60.11.30. A PC in the SiteA to a server in the SiteB.
The source zone would be private because it's coming from the LAN of the router in SiteA and the destination would be the private zone because the request has to goes throught the VPN IPSEC connection our ASA at the main office and then back to the other site ( 10.60.11.1/24 ) on the private for the VPN IPSEC connection and then the private zone to get access to the LAN of the SiteB. Is it clear ?
No I didn't tried to disable the HTTP inspection, I could try just for testing purpose, but I definitly want to have it active for our final config.
Could you please run the command ip inspect log drop-pkt and check if any of the packets destined to server on non-standard ports are being dropped or not.
Also modify the ACL
ip access-list extended web-ports
permit tcp 10.0.0.0 0.255.255.255 any eq www
permit tcp 10.0.0.0 0.255.255.255 any eq 81
permit tcp 10.0.0.0 0.255.255.255 any eq 8080
permit tcp 10.0.0.0 0.255.255.255 any eq 9000
ip access-list extended web-ports
permit tcp 10.0.0.0 0.255.255.255 any (permit ip, if it doesn't take tcp without ports)
Since you have already mentioned the ports it should match using port mapping, it seems like the router would be making an extra effort for no reason to match agains the access-list. Just a logical reasoning. Hence making the access-list smaller.
Let me know if it helps.
I understand your point about doing the same thing twice, but I thought that by having that ACL...it was a way to control what the user will have access to ( ports 80, 81, 8080, 9000 and that's it ). You think it might help with the slow trafic problem on port 8080 in HTTP ?
I'll try your "ip inspect log drop-pkt" tomorrow morning when I'll be at the office and add the result to the post.
Thanks for your help and reply!
I tried the "ip inspect log drop-pkt" and here what I got :
%FW-6-LOG_SUMMARY: 2 tcp packets were dropped from 10.62.28.100:1625 => 10.61.254.30:8080 (target:class)-(priv-pub:lan-http-cmap)
%FW-6-LOG_SUMMARY: 6 tcp packets were dropped from 10.61.254.30:8080 => 10.62.28.100:1625 (target:class)-(pub-priv:any-lan-cmap)
10.62.28.100 is the user on his PC in SiteA that wants to access the server in SiteB using IE with a HTTP request on port 8080.
Any idea why the router is dropping packets either in IN ( pub-priv ) or OUT ( priv-pub-pmap ) ?
After a while ( few minutes ) the user will have access to the webpage, but it's really slow.
At least, the router see the request as HTTP like he's supposed to; because of the port-map.