ASA 5505 navigazione internet lenta

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
Pino6504
n00b
Messaggi: 5
Iscritto il: gio 13 giu , 2013 7:32 pm

Ciao a tutti ,
ho configurato un ASA 5505 in modalità PAT/NAT ( IP pubblico su outside e IP Pubblico sul Router ) con una VPN Any connect .
Ho rilevato una notevole lentezza nella navigazione internet , leggendo in rete ho trovato che il problema può essere relativo al settaggio della velocità sull' interfaccia outside AUTO piuttosto che 100 ed all'impostazione Full O Half oppure Auto . ho provato ad impostare l'interfacca outside su 100 e il flusso su Full , ma non cambia nulla .
Qulcuno é gia incappato in problemi del genere ?
il problema é relativo al firewall perche' se lo tolgo la velocità torna normale .
ecco la configurazione magari qualcuno puo' aiutarmi .


Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname asa
domain-name xxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 31.xxx.xxx.xx 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 151.99.125.2
name-server 151.99.125.3
name-server 62.211.69.150
domain-name marconi
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list vpn-ssl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list VPN_cisco_splitTunnelAcl standard permit 192.168.1.128 255.255.255.192
access-list ssl standard permit 192.168.1.0 255.255.255.0
access-list inside_authentication extended permit tcp any any inactive
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool pool_ssl 192.168.10.1-192.168.10.100 mask 255.255.
255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 31.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server marconi protocol nt
aaa-server marconi (inside) host 192.168.1.35
nt-auth-domain-controller marconi
aaa authentication enable console marconi LOCAL
aaa authentication ssh console marconi LOCAL
aaa authentication match inside_authentication inside xxxxxx
http server enable
http 192.168.1.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=vpn.xxxxx
keypair vpn
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate f037c151
308201db 30820144 a0030201 020204f0 37c15130 0d06092a 864886f7 0d010105
05003032 31143012 06035504 03130b76 706e2e6d 6172636f 6e69311a 30180609
2a864886 f70d0109 02160b61 73612e6d 6172636f 6e69301e 170d3133 30363139
30353532 32315a17 0d323330 36313730 35353232 315a3032 31143012 06035504
03130b76 706e2e6d 6172636f 6e69311a 30180609 2a864886 f70d0109 02160b61
73612e6d 6172636f 6e693081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 81810090 51652ad4 f68cebc3 9c19f646 b79ab111 9aef8ad7 b44c723c
d66de793 6e93e4ed e1596f07 3ef1c2d9 92efa003 ed8d7461 10d8b2d1 4db8a1c1
fc39af7a 3629333d a4535b4b 58e669a7 543898e5 8c28c869 63874d3e 000cc635
3b3d64a9 2fb42880 b9457121 070f0ff3 5f66a426 b7d639cd e02fb983 a7e0c28b
d0cf6484 13ad5102 03010001 300d0609 2a864886 f70d0101 05050003 81810030
cdd69551 6979350b dc44822d ef672157 202df0ae d80d6ac9 796f3874 638152f0
0be75349 2b669844 ad996d97 9990197a 42a2bc9e d9310832 184b1c39 5080dd31
e3924d11 d9269ce6 59187cf3 1d509895 55737dba f4ec02e0 a700cb17 610e3d85
38b24020 4853a32c f7d14c23 fbb35695 4b8c57f0 3b0e5292 78e9f023 377a13
quit
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 151.99.125.2 151.99.125.3
default-domain value marconi
group-policy VPN_cisco internal
group-policy VPN_cisco attributes
dns-server value 151.99.125.2 151.99.125.3
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_cisco_splitTunnelAcl
default-domain value marconi
group-policy VPN_Marconi internal
group-policy VPN_Marconi attributes
dns-server value 192.168.1.35 151.99.125.3
vpn-tunnel-protocol IPSec svc
default-domain value marconi
group-policy any_connect_marconi internal
group-policy any_connect_marconi attributes
wins-server none
dns-server value 151.99.125.2 151.99.125.3
vpn-tunnel-protocol svc webvpn
group-lock value vpn_ssl
split-tunnel-policy tunnelall
split-tunnel-network-list value ssl
default-domain value marconi
webvpn
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username admin password ujJAU1zjv3fWSa66 encrypted privilege 15
username pinotti password kAk1c.A/0zpq0Inh encrypted privilege 0
username pinotti attributes
vpn-group-policy any_connect_marconi
tunnel-group vpn_ssl type remote-access
tunnel-group vpn_ssl general-attributes
address-pool (inside) pool_ssl
address-pool pool_ssl
authentication-server-group marconi LOCAL
default-group-policy any_connect_marconi
tunnel-group vpn_ssl webvpn-attributes
group-alias vpn enable
group-url https://31.xxx.xxx.xxx/vpn enable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool (inside) pool_ssl
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dns preset_dns_map
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2bd817d588ae4b35c558af537c5c0b81
: end
Ultima modifica di Pino6504 il sab 06 lug , 2013 5:15 pm, modificato 1 volta in totale.
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:

Ciao,
purtroppo a me non salta all'occhio nulla di strano nella conf (stai attento perchè hai lasciato l'ip in chiaro nella parte di configurazione dell'accesso vpn e anche lasciare la parte username e passgour pubblicate non è mai bello).
Tornando al problema io proverei ad aggiornare l'ios se fossi in te. E' l'unica cosa che mi viene in mente. Hai provato a fare debug in qualche modo? La CPU come stà mentre ti fà il difetto?

Rizio
Si vis pacem para bellum
Pino6504
n00b
Messaggi: 5
Iscritto il: gio 13 giu , 2013 7:32 pm

Grazie di tutto ,
Alla fine ho risolto , si trattava di un problema di DNS , non era configurato correttamente il forward ai DNA esterni sul server DNS del DC .
Ora però ho un problema diverso che mi tiene bloccato da tempo , ho creato una VPN IPSEC secondo le direttive cisco , creando un pool specifico , le regole di NAT (nonat) da rete interna a rete creata per vpn , split tunneling . Sembra tutto ok , mi collego da fuori il collegamento e' ok ma non accedo alle risorse ldella rete interna ... Qualcosa mi sfugge o non è corretto , sai darmi un aiuto? Domani posso ripostare la configurazione se serve .
Ho creato anche una vpn SSL ma da lo stesso identico problema ....
Grazie .
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:

Bene per i lDNS, in effetti ci potevo pensare subito, vabbè, prossima volta.
Per quanto riguarda la VPN prova a cambiare la tabella di nat di cui fà parte, toglila dalla tabella nonat mettendola in un'altra tablella "normale" e riprova.

Rizio
Si vis pacem para bellum
Rispondi