SA 540 and DMZ Issue for Wireless Guest Access

Unanswered Question

I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hhwesterg Sun, 11/29/2009 - 19:41


I'm having the same issue, except I don't use an access point. I have attached both my laptop and server to the DMZ and cant reach anything. I can ping and resolve domain names, but using a browser is impossible, connection is extreeeeemly slow/useless.

Any help would be greatly appreciated, I need to get our web server running on that port.

I have also tried adding Firewall rules (allow DMZ to WAN) etc. no luck.

Steven Smith Mon, 11/30/2009 - 15:30

Let me forward this along.  When you get a chance though, can you plug the AP into the LAN to see if the problem exists there as well?  Not that this is a workaround, but I am just trying to see if we can also replicate the problem on the LAN.

hhwesterg Wed, 12/02/2009 - 16:24

I have tried 1.0.17 and now also 1.0.39 but no change. I called Cisco's support line and they reproduced the problem in the lab for both firmware versions, (upgrading the firmware to .39 actually also wiped my configuration).

It looks like they will escalate the problem now, stay tuned.

Steven Smith Thu, 12/03/2009 - 11:30

I will keeping this going on my end.  The 1.0.39 will factory reset the box as well.  It is in the release notes that it will require a new configuration.  There were significant database changes that required this.

Steven Smith Thu, 12/03/2009 - 14:36

Can you let me know what AP's you are using with this?  Also, could you let me know if this problem occurs if you directly connect to the SA500?

hhwesterg Thu, 12/03/2009 - 16:17


I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.

I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).

I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.

To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.

Firmware 1.0.39

BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

Steven Smith Thu, 12/03/2009 - 16:38

I haven't been able to recreate the problem here for me.  Are you using a 540 as well or a 520?

hhwesterg Thu, 12/03/2009 - 17:04

I'm using the SA 540

Both the Cisco engineers I talked with on the phone was able to recreate it. Though the first one thought he found a solution by allowing all WAN to DMZ, but that didn't change anything for me.

I have the 2 following rules:

LAN to DMZ allow all.

DMZ to WAN allow all.

and I have been testing with the WAN to DMZ allow all, but no change.

Are you saying that when you have the optional port set to DMZ, your computer on the DMZ can reach and browse the Internet without any speed problems?

(SA-540 firmware 1.0.39)

Steven Smith Fri, 12/04/2009 - 11:12

I am saying that I don't seem to have this issue, but I have been testing on the SA520.  I will check with a SA540 and try again.


I don't know if it's related but I just found the exact same problem in a completely different setup;

Two ASA 5505's with a pure VPN (IPSEC) tunnel between them and all traffic routed over the tunnel. I can ping the head office, RDP, DNS look-up, ASDM, SSH, but HTTP fails. I checked the logs on both ASA's and the traffic passes without any issue, but I am not getting a web page (this is with IE8).

I will do some more testing today and hope to find the answer, but right now I am thinking it's something to do with the inspects.

If I can't figure it out I'll open a TAC case, but truely strange.

If I can find my other laptop I'll try to get some sniffer traces, but debug on the firewalls is not revealing anything.

Stay tuned.

UPDATE: My problem is either WIndows 7 or IE8; I hooked up a Vista machine with IE7 and eveything worked right away. I will post an update when I can isolate more.

As a note; I was able (with Win7) to access our Windows server website (OWA) over the tunnel, but nothing else on the same LAN segment.


This Discussion