04-26-2008 04:28 PM - edited 03-11-2019 05:37 AM
Hi,
I have recently replaced a netgear firewall for an ASA5505. Below is my
config. My problem is that when I browse the web from my linux box,
anytime I hit a new site, it seems to take about 30 seconds to a minute
to do the lookup before I can actually get to the site. The DNS entries are
correct, so I don't really know why else it takes so long.
Anyone have ideas?
# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname myhomenet
domain-name network.local
enable password xxx
names
name 192.168.1.0 INSIDE
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
banner motd
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 73.x.x.205
name-server 68.x.x.98
domain-name network.local
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http INSIDE 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.11 255.255.255.255 inside
telnet timeout 10
ssh INSIDE 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.40 inside
dhcpd enable inside
!
!
!
username winky password xxx
encrypted privilege 15
prompt hostname context
Cryptochecksum:xxx
: end
04-28-2008 06:53 AM
What happens if you use an IP address rather than a URL in the web browser?
04-28-2008 07:43 PM
It's hard for me to say. When I put in the domain name, it always takes a while, but it seems 1 out of 5 tries using the ip address will load pretty quickly.
But for the most part, it takes just as long whether it's w/ a domain name or ip address.
04-28-2008 11:50 PM
Hi,
try:
dns domain-lookup outside
no dns domain-lookup inside
tcp-map MYTCPMAP
exceed-mss allow
class-map global-class
match any
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
no inspect http
inspect dns preset_dns_map
class global-class
set connection advanced-options MYTCPMAP
04-29-2008 06:21 PM
Well, I tried entering these commands and ran up against the following errors ...
winky(config)# dns domain-lookup outside
winky(config)# no dns domain-lookup inside
winky(config)# tcp-map MYTCPMAP
winky(config-tcp-map)# exceed-mss allow
winky(config-tcp-map)# class-map global-class
winky(config-cmap)# match any
winky(config-cmap)# policy-map type inspect dns preset_dns_map
winky(config-pmap)# parameters
winky(config-pmap-p)# message-length maximum 2048
winky(config-pmap-p)# policy-map global_policy
winky(config-pmap)# class inspection_default
ERROR: % class-map inspection_default not configured
winky(config-pmap)# no inspect http
^
ERROR: % Invalid input detected at '^' marker.
05-06-2008 12:51 AM
Hi,
thats the name of the Default Inspection on your ASA. Its a name. Prove your name with "sh run".
In old PIX Version was the command "inspect...".
kind Regards
Ralf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide