ASA 5520

ThaerJamous · ‎11-28-2010

I have may be a problem in ASA firewall I configure

the nat and access-list and all other configuration that need

to secure my network but sometime the internet connection is lost fro the inside

or when the internet user need to brows the DMZ website I have a delay befor the page appear

my configuration is shown in the attachment file can any one help me to know if the configuration couses this problem or the problem from the network servers

names

name 82.213.56.195 Webmailext

name 172.16.1.2 webmailint

name 82.213.56.197 webhrExt

name 172.16.1.3 webhrIn

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 82.213.56.194 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns name-server webmailint

dns name-server 217.66.226.8

dns name-server 192.168.1.15

object-group service VPNInUDP udp

port-object eq 5500

port-object eq isakmp

port-object eq 1701

object-group service msSQL udp

description MS-SQL Server

port-object eq www

port-object range 1433 1434

port-object range 150 150

port-object range 1215 1215

port-object range 118 118

access-list in-out extended permit icmp any any

access-list in-out extended permit ip any any

access-list in-out extended permit tcp any any

access-list in-out extended permit tcp any host webhrExt eq www

access-list in-out extended permit tcp any host webhrExt eq pptp

access-list in-out extended permit tcp any host webhrExt eq sqlnet

access-list in-out extended permit tcp any host Webmailext eq pop3

access-list in-out extended permit tcp any host Webmailext eq imap4

access-list in-out extended permit tcp any host Webmailext eq smtp

access-list in-out extended permit tcp any host Webmailext eq www

access-list in-out extended permit tcp any host Webmailext eq https

access-list in-out extended permit udp any host webhrExt object-group VPNInUDP

access-list in-out extended permit udp any host webhrExt object-group msSQL

access-list in-out extended permit tcp any host Webmailext eq telnet

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any any

access-list dmz-in extended permit tcp any any

access-list dmz-in extended permit udp any any

access-list dmz-in extended permit gre any any

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 192.168.1.0 255.255.255.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (DMZ,outside) Webmailext webmailint netmask 255.255.255.255 dns

static (DMZ,outside) webhrExt webhrIn netmask 255.255.255.255

access-group in-out in interface outside

access-group dmz-in in interface DMZ

route outside 0.0.0.0 0.0.0.0 82.213.56.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.1.0 255.255.255.0 DMZ

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map exit

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns maximum-length 512

policy-map typ

!

service-policy global_policy global

Cryptochecksum:9d222cc1013df87cb2fb85c426b97593

: end

susreeni · ‎11-28-2010

Thaer,

In order to determine if the problem we're facing is with the server's not responding as they should or the ASA introducing latency, please arrange for wireshark captures to be taken on the server that is hosting the page.

The captures should give us a better picture.

Also, these captures when analysed along side captures taken fron the ASA will be helpful in isolating the issue.

Please use the link below to understand the procedure behind running packet-captures on an ASA:

- http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Sundar