cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1666
Views
0
Helpful
3
Replies

ASA 5510 as Default-Gateway

Daniel Barbosa
Level 1
Level 1

Hi,


In my network has 1,600 computer and ASA 5510 is Default-Gateway. The ASA performs NAT, routing, firewall and vlans. Altogether I have about 20 vlans.

My question is about de ASA 5510. This ASA 5510 in my network is recommended for all tasks?


I´m not Analyst Security, I´m networking administrator and the people of security say that the firewall is recommended. But the firewall anytime has 80% CPU.


I´m very worried in my network, and in this moment my network is slow.


When I test computer that is in the same vlan, I don´t have slowly and accesses the network and file transfer is fast. Different the other acess to use the structure of the firewall.

I think the firewall is not recommended or are you wrong setting.


The autentication in domain, access to file server and all taks using the firewall..


Today the Firewall have IOS --> 8.2.2


Thanks


Daniel Barbosa

Sao Paulo, Brazil.

3 Replies 3

Scott Conklin
Level 1
Level 1

It sounds like your ASA is doing too much- I think the addition of an internal Layer 3 switch to handle the Inter-Vlan routing would help things by a large margin.  It may be the best solution to your current issues.  let the Layer 3 switch act as a core switch/routing device, connect it to the internal network to your existing switches and connect the other end to the ASA, reducing the workload on the ASA.

Adding to Scott comments;

"show interface | i over"


To check is you're sending to much of traffic for ASA to handle - overruns will indicate ASA's hardware buffers running low and dropping frames.

If values are non-0 and increasing you're most likely sending too much traffic for ASA to handle.

"show service-policy"

Will tell you which inspection engines are working. They are fastest contributors to CPU utlization (apart from dispatch_unit - which is process used to poll interfaces, very ofthen dispatch_unit will cause high cpu indicating oversubscription)

Daniel Barbosa
Level 1
Level 1

You all are correct, I think the ASA is loaded.

But if the ASA is doing Firewall, Routing, NAT and "server" to VLANs and the  core network is growing every day can not be my internal infrastructure.  ok?

A detail ... Uplink all of my infrastructure is fiber, it is not  like leaving a slow LAN, much as VoIP traffic, which is my case.

Another point is that we have problems logging Syslog traffic  from 1,600 with this machine grows about 5 gigabytes or more. However,  this may be the traffic that passes by and misconfiguration. Am I wrong?

And.. Is there any snifer to help me? Is there anything I can do to prove that the ASA is "full"? Remembering that I do not have access to the firewall!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: