DMZ Slowness in ASA firewall

wasiimcisco · ‎02-14-2010

I have few servers connected in DMZ zone of my ASA Firewall. Earlier in the old setup there was no slowness. I did migration and upgrade switches to Cisco C3560-IPBASE-M.

After this activity the users are started complaining in access the Oracle servers and SQL servers.

SQL Server is located in inside (192.168.200.56

Appliacation Server is located in DMZ (172.16..11.126).

interface GigabitEthernet0/3.1
mac-address 000c.f342.4abc standby 020c.f342.4abc
nameif serverdmz
security-level 90
ip address 172.16.11.1 255.255.255.0 standby 172.16.11.5

name 192.168.200.56 ENOCSQLCLUS

name 172.16.11.126 ENOCWEBS3

name 172.16.11.30 dmzsqlclus

static (inside,serverdmz) dmzsqlclus ENOCSQLCLUS netmask 255.255.255.255

access-list acl-serverdmz extended permit ip host ENOCWEBS3 any

access-list acl-serverdmz extended permit ip host 172.16.11.101 host dmzsqlclus
access-list acl-serverdmz extended permit ip host Enocwebs2 host dmzsqlclus

global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface

access-list aclnat_cards extended permit ip any 172.16.21.0 255.255.255.0
access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0
nat-control
nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 1 172.16.11.0 255.255.255.0

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect ftp
class class-default
set connection decrement-ttl

Everything is fine, ping telnet, mstsc but only when Query the data it got stuck. It is taking too much time. There is bad slowness in this communication.

Please let me know what is wrong. The switches are connected with each over Trunk.

SERVERDMZSW01#sh run
SERVERDMZSW01#sh running-config inter
SERVERDMZSW01#sh running-config interface gi
SERVERDMZSW01#sh running-config interface gigabitEthernet 0/1
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/1
description Connected to *******DC-FIREWAL-01*******
switchport trunk encapsulation dot1q
switchport mode trunk
end

SERVERDMZSW01#sh run
SERVERDMZSW01#sh running-config inter
SERVERDMZSW01#sh running-config interface gi
SERVERDMZSW01#sh running-config interface gigabitEthernet 0/46
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/46
description ***** UPLINK TO DC-DMZ-SW01-0/46 (172.16.11.102) *****
switchport trunk encapsulation dot1q
switchport mode trunk
end

SERVERDMZSW01#sh running-config interface gigabitEthernet 0/47
Building configuration...

Current configuration : 37 bytes
!
interface GigabitEthernet0/47
end

SERVERDMZSW01#sh running-config interface gigabitEthernet 0/48
Building configuration...

Current configuration : 172 bytes
!
interface GigabitEthernet0/48
description ***** UPLINK TO DC-DMZ-PABX-SW02-0/48 (172.16.11.101) *****
switchport trunk encapsulation dot1q
switchport mode trunk
end

Same trunk configuration is there on Switch 2 and Switch 3. Servers are connected to Switch 3.

Please help me out why the network is slow in DMZ segment.

wasiimcisco · ‎02-15-2010

Hi,

Can anybody help me out.

Panos Kampanakis · ‎02-15-2010

Since the server is being translated through the ASA, have you tried enabled sqlnet inspection?

PK