03-13-2014 07:41 PM - edited 03-11-2019 08:56 PM
I received a new modem today to upgrade my speeds with my ISP. The modem is a Hitron CGNDM. Once I had this new modem plugged in I had the ISP put the modem in bridge-mode disabling the NATing/any fancy functionality and performed a speed test. I was then receiving 25mbps down and 20mbps up. With my older modem I was receiving 90mbps down and 10 mbps up. The plan I subscribe to was 150/10 and should now be 250/20.
Summary:
Previous Setup: Same ASA connected via same interface (same cable) to old modem with 150/10 plan received 90/10 on average
New Setup: Same ASA connected via same interface (same cable) to new modem with 250/20 plan receives 25/20 on average
Now heres where it gets interesting:
If I plug my laptop directly into the modem I get the old (expected) download rate (90) with my new upload (20) meaning it works flawlessly but I only receive 90 down due to over subscription. If I statically configure an IP on my laptop network card and plug directly into the inside interface of the ASA I receive 25/20 meaning it is 100% the ASA causing the issue.
I have tried changing both manual and auto configurations of the duplex and speeds on the outside interface of the ASA with no luck. I've also attempted to change the MTU value of the outside interface but it does not seem to make a difference.
Here is my ASA configuration:
ASA Version 8.2(1)
!
hostname FW
domain-name default.domain.invalid
enable password x encrypted
passwd x encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan101
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 101
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service portforward tcp-udp
port-object eq 1720
port-object eq www
port-object eq 443
port-object eq 59835
port-object eq 3074
port-object eq domain
port-object eq 88
port-object eq 1119
port-object range 6881 6999
port-object eq 64738
port-object eq 21025
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip any 10.0.0.0 255.255.255.0
access-list split standard permit 10.10.10.0 255.255.255.0
access-list portforward extended permit tcp any any object-group portforward
access-list portforward extended permit udp any any object-group portforward
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1492
mtu inside 1500
ip local pool SSLClientPool 10.0.0.10-10.0.0.20 mask 255.255.255.0
ip local pool SSLClientPool2 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface h323 10.10.10.8 h323 netmask 255.255.255.255
static (inside,outside) tcp interface 59835 10.10.10.2 59835 netmask 255.255.255.255
static (inside,outside) tcp interface 3074 10.10.10.12 3074 netmask 255.255.255.255
static (inside,outside) tcp interface 88 10.10.10.12 88 netmask 255.255.255.255
static (inside,outside) udp interface 3074 10.10.10.12 3074 netmask 255.255.255.255
static (inside,outside) udp interface 88 10.10.10.12 88 netmask 255.255.255.255
static (inside,outside) udp interface domain 10.10.10.12 domain netmask 255.255.255.255
static (inside,outside) tcp interface domain 10.10.10.12 domain netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.10.12 www netmask 255.255.255.255
static (inside,outside) tcp interface 64738 10.10.10.108 64738 netmask 255.255.255.255
static (inside,outside) udp interface 64738 10.10.10.108 64738 netmask 255.255.255.255
static (inside,outside) tcp interface 21025 10.10.10.8 21025 netmask 255.255.255.255
access-group portforward in interface outside
route inside 10.10.10.0 255.255.255.0 10.0.0.1 1
route inside 20.20.20.0 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.10.10.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.city17.com
subject-name CN=sslvpn.city17.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate d01f664a
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value tsweb.local
address-pools value SSLClientPool
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
07-23-2014 12:30 PM
I am having the exact same problem - did you find a solution?
09-21-2014 01:28 PM
I have the same problem
10-12-2014 11:09 PM
This is what worked for me.
Get a small Gig Switch and connect the ASA to the switch. The modem looks for a Gig Interface so connect the modem to the switch
Modem- - - - -Gig Switch - - - ASA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide