excuse me ; i am not good in english but i would like to post in this forum our problem
I am new to the cisco asa;
we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion).
the problem is that the connexion internet is slow in the inside (lan).
our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex). the asa have base lisence.
here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.
firewall# show run
ASA Version 8.2(1)
enable password dgft12ghkHKM123Z encrypted
passwd dgft12ghkHKM123Z encrypted
ip address 172.16.0.1 255.255.255.0
ip address X.X.X.35 255.255.255.224
ip address 172.20.0.1 255.255.255.0
no ip address
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list aclin extended permit icmp any any
access-list aclin extended permit tcp any host X.X.X.59 eq www
access-list aclin extended permit tcp any host X.X.X.59 eq https
access-list aclin extended permit tcp any host X.X.X.58 eq 8080
access-list aclin extended permit tcp any host X.X.X.57 eq smtp
access-list aclin extended permit tcp any host X.X.X.57 eq www
access-list aclin extended permit tcp any host X.X.X.57 eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 3 x.x.x.36
global (outside) 1 x.x.x.37
global (outside) 2 interface
nat (inside) 2 172.19.0 255.255.0.0
nat (inside) 3 172.18.0.0 255.255.0.0
nat (inside) 1 172.16.0.0 255.255.0.0
nat (inside) 3 172.17.0.0 255.255.0.0
static (dmz,outside) x.x.x.59 172.20.0.59 netmask 255.255.255.255 dns
static (dmz,outside) x.x.x.58 172.20.0.58 netmask 255.255.255.255 dns
static (dmz,outside) x.x.x.58 172.20.0.57 netmask 255.255.255.255 dns
static (outside,inside) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns
static (outside,dmz) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns
First of all here is a good explanation of what is happening here:
Description: The number of times the receiver hardware was unable to hand received data to a hardware buffer.
Common Cause: The input rate of traffic exceeded the ability of the receiver to handle the data.
Description: The number of times that the transmitter has been that run faster than the switch can handle.
Common Causes: This can occur in a high throughput situation where an interface is hit with a high volume of bursty traffic from many other interfaces all at once. Interface resets can occur along with the underruns.
So the problem it is behind the inside interface, as you can see from the DMZ you do not have the same issues, I would start hardcoding the duplex and speed on the ASA and internal switch, try that and let us know.
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :