06-18-2013 05:17 AM - last edited on 03-25-2019 04:25 PM by ciscomoderator
Hello,
I have a tproblem where by the throughput between two inside interfaces does not go above 100KBps when copying files between the interfaces.
The interfaces in question are inside1 (data vlan) and inside2 (wireless). Throughput from the inside interfaces to the outside interface is not a problem as web traffic is nice and snappy.
The ASA is configured to terminate my layer 3 connections as I only have a layer 2 switch. The uplink from the switch to the ASA is a trunk link allowing the relevant VLANs. On the switch I have tested the throughput between the VLANs and determined that the ASA seems to be at fault.
I am fairly new to ASAs so any help would appreciate. Please find my ASA config below:
Thanks.
: Saved
: Written by enable_15 at 10:37:19.808 UTC Tue Jun 18 2013
!
ASA Version 9.0(1)
!
hostname TheGarage-ASA
domain-name thegarage.com
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
description *** Outside interface to 1801 router fa0***
switchport access vlan 2
!
interface Ethernet0/1
description *** Connection to 1801 inside fa1 ***
switchport trunk allowed vlan 10,20,30,99
switchport trunk native vlan 99
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
shutdown
no nameif
security-level 0
no ip address
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group XXXX
ip address pppoe setroute
!
interface Vlan10
description *** Data VLAN ***
nameif inside1
security-level 100
ip address 172.27.10.254 255.255.255.0
!
interface Vlan20
description *** Data VLAN ***
nameif inside2
security-level 100
ip address 172.27.20.254 255.255.255.0
!
interface Vlan30
description *** Data VLAN ***
nameif inside3
security-level 75
ip address 172.27.30.254 255.255.255.0
!
interface Vlan99
description *** Management VLAN ***
nameif management
security-level 100
ip address 172.27.99.1 255.255.255.0
!
banner motd *****************************************************************************
banner motd *||=======================================================================||*
banner motd *|| ||*
banner motd *|| ||*
banner motd *|| WARNING!!! ||*
banner motd *|| ||*
banner motd *|| ||*
banner motd *|| This system is solely for the use of authorized users of The Garage ||*
banner motd *|| for official purposes. ||*
banner motd *|| You have no expectation of privacy in its use and to ensure that ||*
banner motd *|| the system is functioning properly, individuals using this ||*
banner motd *|| computer system are subject to having all of their activities ||*
banner motd *|| monitored and recorded by system personnel. Use of this system ||*
banner motd *|| evidences an express consent to monitoring and agreement that if ||*
banner motd *|| such monitoring reveals evidence of possible abuse or criminal ||*
banner motd *|| activity, system personnel may provide the results of such ||*
banner motd *|| monitoring to appropriate officials. ||*
banner motd *|| ||*
banner motd *|| ||*
banner motd *||=======================================================================||*
banner motd *****************************************************************************
boot system disk0:/asa901-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name thegarage.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-NAS-ftp
host 172.27.10.10
object network obj-data
subnet 172.27.10.0 255.255.255.0
object network obj-wireless
subnet 172.27.20.0 255.255.255.0
object network obj-guest
subnet 172.27.30.0 255.255.255.0
object network obj-NAS-https
host 172.27.10.10
object network obj-NAS-torrent1
host 172.27.10.10
object network obj-NAS-torrent2
host 172.27.10.10
object network obj-NAS-SSH
host 172.27.10.10
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any log
access-list outside_access_in extended deny ip 172.16.0.0 255.255.0.0 any log
access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any log
access-list outside_access_in extended permit tcp any host 203.161.83.1 eq https
access-list outside_access_in extended permit tcp any host 172.27.10.10 eq https
access-list outside_access_in extended permit tcp any host 172.27.10.10 eq ftp
access-list outside_access_in extended permit tcp any host 172.27.10.10 eq 222
access-list outside_access_in extended permit tcp any host 172.27.10.10 eq 3389
access-list outside_access_in extended permit tcp any host 172.27.10.10 eq 10568
access-list outside_access_in extended permit udp any host 172.27.10.10 eq 10568
access-list outside_access_in extended deny ip any any log
access-list inside1_access_in extended permit ip 172.27.10.0 255.255.255.0 172.27.20.0 255.255.255.0
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 172.27.20.0 255.255.255.0
access-list inside1_access_in extended permit udp 172.27.10.0 255.255.255.0 172.27.20.0 255.255.255.0
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq www
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq https
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq ftp
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq ssh
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq telnet
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq smtp
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq pop3
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq 993
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq 3389
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq 995
access-list inside1_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq domain
access-list inside1_access_in extended permit udp 172.27.10.0 255.255.255.0 any eq domain
access-list inside1_access_in extended permit tcp 172.27.10.0 255.255.255.0 any eq domain
access-list inside1_access_in extended permit icmp 172.27.10.0 255.255.255.0 any
access-list inside1_access_in extended permit icmp any any
access-list inside1_access_in extended permit ip any any log
access-list inside2_access_in extended permit ip 172.27.20.0 255.255.255.0 172.27.10.0 255.255.255.0
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq www
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq https
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq ftp
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq ssh
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq telnet
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq smtp
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq pop3
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq 587
access-list inside2_access_in extended permit udp 172.27.20.0 255.255.255.0 any eq domain
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq 993
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq 995
access-list inside2_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq 3389
access-list inside2_access_in extended permit tcp 172.27.20.0 255.255.255.0 any eq domain
access-list inside2_access_in extended permit icmp 172.27.20.0 255.255.255.0 any
access-list inside2_access-in extended deny ip any any log
access-list inside3_access_in extended permit ip 172.27.30.0 255.255.255.0 172.27.10.0 255.255.255.0 log
access-list inside3_access_in extended permit ip 172.27.30.0 255.255.255.0 172.27.20.0 255.255.255.0 log
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq www
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq https
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq ftp
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq smtp
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq pop3
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq 587
access-list inside3_access_in extended permit udp 172.27.30.0 255.255.255.0 any eq domain
access-list inside3_access_in extended permit tcp 172.27.30.0 255.255.255.0 any eq domain
access-list inside3_access_in extended deny ip any any
access-list inside3_access-in extended deny ip any any log
pager lines 24
logging enable
logging buffer-size 128000
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-NAS-ftp
nat (inside1,outside) static interface service tcp ftp ftp
object network obj-data
nat (inside1,outside) dynamic interface
object network obj-wireless
nat (inside2,outside) dynamic interface
object network obj-guest
nat (inside3,outside) dynamic interface
object network obj-NAS-https
nat (inside1,outside) static interface service tcp https https
object network obj-NAS-torrent1
nat (inside1,outside) static interface service tcp 10568 10568
object network obj-NAS-torrent2
nat (inside1,outside) static interface service udp 10568 10568
object network obj-NAS-SSH
nat (inside1,outside) static interface service tcp ssh 222
access-group outside_access_in in interface outside
access-group inside1_access_in in interface inside1
access-group inside2_access_in in interface inside2
access-group inside3_access_in in interface inside3
route outside 0.0.0.0 0.0.0.0 1.2.3.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.27.10.0 255.255.255.0 inside1
ssh 172.27.20.0 255.255.255.0 inside2
ssh timeout 10
console timeout 0
vpdn group XXXX request dialout pppoe
vpdn group XXXX localname XXXXXXXXXX
vpdn group XXXX ppp authentication chap
vpdn username XXXXXXXXXXXXX password XXXXXXXXXXXXXXX
vpdn username XXXXXXXXXX password XXXXXXXXXXXXXX
dhcpd dns XXXXXXXXXXXX XXXXXXXXXXXX
dhcpd auto_config management
!
dhcpd address 172.27.10.21-172.27.10.199 inside1
dhcpd enable inside1
!
dhcpd address 172.27.20.21-172.27.20.199 inside2
dhcpd enable inside2
!
dhcpd address 172.27.30.21-172.27.30.199 inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username XXXXXXXXX password XXXXXXXXXXXX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b122706d760ff71f18228bcf0c259c64
: end
01-14-2014 07:17 AM
I am having this problem on our asa 5520. Did you ever solve it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide