ASA 5510 as Default-Gateway

Unanswered Question
May 19th, 2010

Hi,


In my network has 1,600 computer and ASA 5510 is Default-Gateway. The ASA performs NAT, routing, firewall and vlans. Altogether I have about 20 vlans.

My question is about de ASA 5510. This ASA 5510 in my network is recommended for all tasks?


I´m not Analyst Security, I´m networking administrator and the people of security say that the firewall is recommended. But the firewall anytime has 80% CPU.


I´m very worried in my network, and in this moment my network is slow.


When I test computer that is in the same vlan, I don´t have slowly and accesses the network and file transfer is fast. Different the other acess to use the structure of the firewall.

I think the firewall is not recommended or are you wrong setting.


The autentication in domain, access to file server and all taks using the firewall..


Today the Firewall have IOS --> 8.2.2


Thanks


Daniel Barbosa

Sao Paulo, Brazil.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Conklin Wed, 05/19/2010 - 08:26

It sounds like your ASA is doing too much- I think the addition of an internal Layer 3 switch to handle the Inter-Vlan routing would help things by a large margin.  It may be the best solution to your current issues.  let the Layer 3 switch act as a core switch/routing device, connect it to the internal network to your existing switches and connect the other end to the ASA, reducing the workload on the ASA.

Marcin Latosiewicz Wed, 05/19/2010 - 08:35

Adding to Scott comments;

"show interface | i over"


To check is you're sending to much of traffic for ASA to handle - overruns will indicate ASA's hardware buffers running low and dropping frames.

If values are non-0 and increasing you're most likely sending too much traffic for ASA to handle.

"show service-policy"

Will tell you which inspection engines are working. They are fastest contributors to CPU utlization (apart from dispatch_unit - which is process used to poll interfaces, very ofthen dispatch_unit will cause high cpu indicating oversubscription)

Daniel Martins ... Wed, 05/19/2010 - 09:10

You all are correct, I think the ASA is loaded.

But if the ASA is doing Firewall, Routing, NAT and "server" to VLANs and the  core network is growing every day can not be my internal infrastructure.  ok?

A detail ... Uplink all of my infrastructure is fiber, it is not  like leaving a slow LAN, much as VoIP traffic, which is my case.

Another point is that we have problems logging Syslog traffic  from 1,600 with this machine grows about 5 gigabytes or more. However,  this may be the traffic that passes by and misconfiguration. Am I wrong?

And.. Is there any snifer to help me? Is there anything I can do to prove that the ASA is "full"? Remembering that I do not have access to the firewall!

Actions

This Discussion

Related Content