Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
0
Helpful
6
Replies

IPERF blocked by ASA

a.shaukat
Level 1
Level 1

‎06-25-2007 12:41 AM - edited ‎02-21-2020 01:34 AM

i have a remote branch connected to my head office in the following manner:

BR-LAN----BR-Router===VPN===HO-Router----HO-ASA----HO-LAN

i am using the c:\iperf -s on a server at the Head Office and

c:\iperf -c (ServerIP) on a machine at the Branch.

nothing comes up... whats blocking it ?? and where is it being blocked.. at the branch router or the HO router or the ASA ???? cause i have all type of traffic open at the Routers and IP traffic on the ASA from branch.

the BR-Router communicates with HO-router via VPn tunnel.

i really need to test the bandwidth using the iperf command...

any help ???

0 Helpful
6 Replies 6

andrew.burns
Level 7
Level 7

‎06-25-2007 08:04 AM

Hi,

Iperf uses a default port of 5001 for both server and client. So, if there is a firewall between them this port needs to be open in both directions. Also, if you have access-lists on the routers then these should also allow port 5001.

Alternatively, if you know for sure that a particular port is already open you can specify this port with the -p option (or if you are using jperf just change it in the GUI)

HTH

Andrew.

0 Helpful

a.shaukat
Level 1
Level 1
In response to andrew.burns

‎06-27-2007 04:34 AM

thanks andrew..

the rules i creaded on my ASA via ASDM they are said to allow traffic from one network to the network and its not port based rather IP based.... so doesnt that mean that all IP traffic is allowed ???

the access list is

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0

192.168.2.0 255.255.255.0

where 192.168.0.0 network is my HO side and 192.168.2.0 is the remote location side network..

HO side is the Inside and remote side is the BR_DMZ. security level on both is trusted ie. 100

nat exemption rule for this is ...

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0

192.168.2.0 255.255.255.0

0 Helpful

andrew.burns
Level 7
Level 7
In response to a.shaukat

‎07-02-2007 05:39 AM

Hi,

Try it the other way round - i.e. run the server on the client (iperf -s) and connect to it from the server (iperf -c clientip).

HTH

Andrew.

0 Helpful

a.shaukat
Level 1
Level 1
In response to andrew.burns

‎07-09-2007 03:23 AM

working now :-) dont know what was the issue but it worked the othrway around and now its working both way ... cant seem to figure out what was stopping it ...

can i ask one more thing here. ?

i have 3 interfaces.. inside, remote and outside..

with security levels 100, 100 and 0 respectively...

all ip communication from inside to remote and remote to inside is allowed.

NATTING is eexempted. like i explained in the IPERF issue..

i have my pc and the tftp server behind the Inside interface and a remote branch router in front of the remote interface of the ASA..

i can logon to the router without any problem

but when i try to copy the run config to the tftp server at my end it times out.. and i get nothing...

(so i had to set another tftp server at the branch network..)

what can be the issue ??

same is with the internet router attached to the outside interface.. cant seem to save its config to my tftp server as well..

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to a.shaukat

‎07-09-2007 05:59 AM

Atif

I believe that your issue with TFTP involves a fundamental aspect of how the ASA works. Traffic from a higher level interface (inside) is allowed to go through a lower level interface (outside) and any return traffic is permitted. This allows any end station inside to initiate a connection to any device outside and for response traffic to be permitted. But by default the ASA will not allow a machine outside to initiate a connection to an end station inside. To get this to work you will need to create an access policy on the outside interface to allow traffic from outside to initiate a connection to inside. The access list referenced in an earlier post appears to be for the inside interface. I believe that you need a similar access list for the outside interface (with addresses appropriately transposed).

HTH

Rick

HTH

Rick
0 Helpful

a.shaukat
Level 1
Level 1
In response to Richard Burts

‎07-10-2007 01:12 AM

i did ..

made an access list to allow the internet router's intereface(that connects to the ASA) to send IP traffic to a specific host (TFTPserver's ip)

but it kept on failing in a NAT translation..

i tried to exempt nat as well but the paket drops there...

aside from outside to inside...

i tried from DMZ1 to inside.. (both having the same security level) everything works (from DMZ to inside or inside to DMZ) except the TFTP..

il send u the config ..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card