ASA 5505 Speed Issue - Help Requested if possible

Similar Messages

• ASA 5505 Best Practice Guidance Requested

  I am hoping to tap into the vast wealth of knowledge on this board in order to gain some "best practice" guidance to assist me with the overall setup using the ASA 5505 for a small business client.  I'm fairly new to the ASA 5505 so any help would be most appreciated!
  My current client configuration is as follows:
  a) business internet service (cable) with a fixed IP address
  b) a Netgear N600 Wireless Dual Band router (currently setup as gateway and used for internet/WiFi access)
  c) a Cisco SG-500-28 switch
  d) one server running Windows Small Business Server 2011 Standard (primary Domain Controller)
       (This server is currently the DNS and DHCP server)
  e) one server running Windows Server 2008 R2 (secondary Domain Controller)
  f) approximately eight Windows 7 clients (connected via SG-500-28 switch)
  g) approximately six printers connected via internal network (connected via SG-500-28 switch)
  All the servers, clients, and printers are connected to the SG-500-28 switch.
  The ISP provides the cable modem for the internet service.
  The physical cable for internet is connected to the cable modem.
  From the cable modem, a CAT 6 ethernet cable is connected to the internet (WAN) port of the Netgear N600 router.
  A Cat 6 ethernet cable is connected from Port 1 of the local ethernet (LAN) port on the N600 router to the SG-500-28 switch.
  cable modem -> WAN router port
  LAN router port -> SG-500-28
  The ASA 5505 will be setup with an "LAN" (inside) interface and a "WAN" (outside) interface.  Port e0/0 on the ASA 5505 will be used for the outside interface and the remaining ports will be used for the inside interface.
  So my basic question is, given the information above of our setup, where should the ASA 5505 be "inserted" to maximize its performance?  Also, based on the answer to the previous question, can you provide some insight as to how the ethernet cables should be connected to achieve this?
  Another concern I have is what device will be used as the default gateway.  Currently, the Netgear N600 is set as the default gateway on both Windows servers.  In your recommended best practice solution, does the ASA 5505 become the default gateway or does the router remain the default gateway?
  And my final area of concern is with DHCP.  As I stated earlier, I am running DHCP on Windows Small Business Server 2011 Standard.  Most of the examples I have studied for the ASA 5505 utilize its DHCP functionality.  I also have done some research on the "dhcprelay server" command.  So I'm not quite sure which is the best way to go. First off, does the "dhcprelay server" even work with SBS 2011?  And secondly, if it does work, is the best practice to use the "dhcprelay" command or to let the ASA 5505 perform the DHCP server role?
  All input/guidance/suggestions with these issues would be greatly appreciated!  I want to implement the ASA 5505 firewall solution following "best practices" recommendations in order to maximize its functionality and minimize the time to implement.
  FYI, the information (from the "show version" command) for the ASA 5505 is shown below:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.1(5)100
  Compiled on Fri 30-Aug-13 19:48 by builders
  System image file is "disk0:/asa847-k8.bin"
  Config file at boot was "startup-config"
  ciscoasa up 2 days 9 hours
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Int: Internal-Data0/0    : address is a493.4c99.8c0b, irq 11
  1: Ext: Ethernet0/0         : address is a493.4c99.8c03, irq 255
  2: Ext: Ethernet0/1         : address is a493.4c99.8c04, irq 255
  3: Ext: Ethernet0/2         : address is a493.4c99.8c05, irq 255
  4: Ext: Ethernet0/3         : address is a493.4c99.8c06, irq 255
  5: Ext: Ethernet0/4         : address is a493.4c99.8c07, irq 255
  6: Ext: Ethernet0/5         : address is a493.4c99.8c08, irq 255
  7: Ext: Ethernet0/6         : address is a493.4c99.8c09, irq 255
  8: Ext: Ethernet0/7         : address is a493.4c99.8c0a, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 10             perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 12             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.

  Hey Jon,
  Again, many thanks for the info!
  I guess I left that minor detail out concerning the Guest network.  I have a second Netgear router that I am using for Guest netowrk access.  It is plugged in to one of the LAN network ports on the first Netgear router.
  The second Netgear (Guest) router is setup on a different subnet and I am letting the router hand out IP addresses using DHCP.
  Basic setup is the 192.168.1.x is the internal network and 192.168.11.x is the Guest network.  As far as the SBS 2011 server, it knows nothing about the Guest network in terms of the DHCP addresses it hands out.
  Your assumption about the Guest network is correct, I only want to allow guest access to the internet and no access to anything internal.  I like your idea of using the restricted DMZ feature of the ASA for the Guest network.  (I don't know how to do it, but I like it!)  Perhaps you could share more of your knowledge on this?
  One final thing, the (internal) Netgear router setup does provide the option for a separate Guest network, however it all hinges on the router being the DHCP server.  This is what led me to the second (Guest) Netgear router because I wanted the (internal) Netgear router NOT to use DHCP.  Instead I wanted SBS 2011 to be the DHCP server.  That's what led to the idea of a second (Guest) router with DHCP enabled.
  The other factor in all this is SBS 2011.  Not sure what experience you've had with the Small Business Server OS's but they tend to get a little wonky if some of the server roles are disabled.  For instance, this is a small busines with a total of about 20 devices including servers, workstations and printers.  Early on I thought, "nah, I don't need this IPv6 stuff," so I found an article on how to disable it and did so.  The server performance almost immediately took a nose dive.  Rebooting the server went from a 5 minute process to a 20 minute process.  And this was after I followed the steps of an MSDN article on disabling IPv6 on SBS 2011!  Well, long story short, I enabled IPv6 again and the two preceeding issues cleared right up.  So, since SBS 2011 by "default" wants DHCP setup I want to try my best to accomodate it.  So, again, your opinion/experiece related to this is a tremendous help!
  Thanks!

• ASA 5505 VPN Issue

  We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.

  Thanks for your reply. This is already set allong with the following.
  icmp permit any inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
  When I do an inspect on the ping packets from the remote LAN I get an interesting result.
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected

• Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

  I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
  I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
  I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
  Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
  My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
  Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

  After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
  I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
  I may have to live with it but the inconsistency is what really bothers me.
  Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
  Anything obviously  missing - new command or anything?   Xlates causing issues?

• Cisco ASA 5505 Configurations. Help... Beyond Frustrated

  Hello All,
  I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
  I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
  hostname AMDASA
  domain-name asa.(mydomain).com
  enable password (encrypted)
  passwd (encrypted)
  interface Ethernet0/0
  description TWCoutside
  switchport access vlan 2
  no shutdown
  write mem
  exit
  interface Ethernet0/1
  description Port1inside
  switchport access vlan 1
  no shutdown
  write mem
  exit
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.250 255.255.255.0
  write mem
  exit
  interface Vlan2
  nameif outside
  security-level 0
  ip address 24.39.245.36 255.255.255.240
  write mem
  exit
  object-group icmp-type DefaultICMP
  description Default ICMP Types permitted
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
  write mem
  exit
  ftp mode passive
  write mem
  clock timezone EST -5
  clock summer-time EDT recurring
  write mem
  exit
  dns server-group DefaultDNS
  domain-name asa.adcmotors.com
  write mem
  exit
  access-list acl_outside extended permit icmp any any object-group DefaultICMP
  access-group acl_outside in interface outside
  access-list acl_inside extended permit icmp any any object-group DefaultICMP
  access-group acl_inside in interface inside
  write mem
  exit
  write mem
  That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

  Hi our desperate friend .
  First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
  That said, I also think that your ASA lacks of some basic configuration as of now.  If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
  route outside 0.0.0.0 0.0.0.0 24.39.245.33
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0  255.255.255.0
  Now regarding the VPN Client configuration you would need to something like this:
  Create an isakmp policy:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  Create a couple of ACLs that we will use later:
  access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list split_tun standard permit 192.168.0.0 255.255.255.0
  Create a Pool for the VPN Clients to use:
  ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  Create a Group Policy:
  group-policy TEST internal
  group-policy TEST attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tun
  Create a group:
  tunnel-group TEST type ipsec-ra
  tunnel-group TEST general-attributes
  address-pool TestPool
  authentication-server-group ABTVPN
  default-group-policy TEST
  tunnel-group TEST ipsec-attributes
  pre-shared-key cisco123
  Create crypto map and do a NAT 0:
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface outside
  nat (inside) 0 access-l nonat
  Finally create a user that you will use to connect:
  username test password test123
  Then you would need to configure your VPN Client to connect with the ASA.
  Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
  I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
  Have fun.
  Raga

• Cisco ASA 5505 Failover issue..

  Hi,
   I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

  Please find the logs...
  Secondary Firewall While Sync..
  cisco-asa(config)# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 06:01:10 GMT Apr 29 2015
  This host: Secondary - Sync Config 
  Active time: 55 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): No Link (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Active 
  Active time: 177303 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  =======================================================================================
  Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
  cisco-asa# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:06:12 GMT Apr 29 2015
  This host: Secondary - Active 
  Active time: 44 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): Normal (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Not Detected 
  Active time: 0 (sec)
  slot 0: empty
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  ==========================================================================================
  After Active firewall got rebootted failover off,whole network gone down.
  cisco-asa# sh failover 
  Failover Off 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ===========================================================================================
  Primary Firewall after rebootting
  cisco-asa# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:17:29 GMT Apr 29 2015
          This host: Primary - Active
                  Active time: 24707 (sec)
                  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                    Interface outside (27.251.167.246): Normal (Waiting)
                    Interface inside (10.11.0.20): Normal (Waiting)
                    Interface mgmt (10.11.200.21): Normal (Waiting)
                  slot 1: empty
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: empty
                    Interface outside (27.251.167.247): Unknown (Waiting)
                    Interface inside (10.11.0.21): Unknown (Waiting)
                    Interface mgmt (10.11.200.22): Unknown (Waiting)
                  slot 1: empty
  cisco-asa# sh failover history
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:43 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:29 GMT Apr 29 2015
  Negotiation                Just Active                No Active unit found
  06:17:29 GMT Apr 29 2015
  Just Active                Active Drain               No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Drain               Active Applying Config     No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Applying Config     Active Config Applied      No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Config Applied      Active                     No Active unit found
  ==========================================================================
  cisco-asa#
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Primary
                 Active         None
  Other host -   Secondary
                 Failed         Comm Failure             06:17:43 GMT Apr 29 2015
  ====Configuration State===
  ====Communication State===
  ==================================================================================
  Secondary Firewall
  cisc-asa# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (down)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ecs-pune-fw-01# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Secondary
                 Disabled       None
  Other host -   Primary
                 Not Detected   None
  ====Configuration State===
  ====Communication State===
  Thanks...

• ASA 5505 speed reduction when connected to a Planet fiber converter

  Hi!
  We have many customers running ASA 5505, and a number of them are running 100 Mbit connections. This normally works fine. But recently, our ISP has started setting up all new fiber connections using a Planet fiber to RJ converter (Before they used Cisco switches), and with those, the locations only get around 50-60 Mbit. We have done all the testing - force port speed and duplex settings, test with a PC directly connected to the converter etc. And the connection allways runs 100 Mbit. And the ASA's themselves also run 100 Mbit when connected to anything else than the Planet converter. We have for now circumvented the problem by placing a simple L2 switch between the converter and the ASA's, but this is not an ideal solution as it adds another single point of failure element etc.
  Any ideas?

  The Express units can extend wireless on the TC or each other.. but they cannot extend wireless on the Asus anyway..
  So the setup is Asus--TC (that has to be ethernet) The TC in bridge mode.
  Then TC -- express can be done by ethernet in roaming mode as bob listed above or extend wireless.
  I am guessing.. what model are the express units.. they are older Gen1 N model ??
  IMHO the TC is simply no longer viable.. replace it with one express as the AP and extend it with the other Express.. see if that works better.
  But I would be trying to use the wireless just from the AC66U.
  I would also force the Asus back to 20mhz on the 2.4ghz band.. so you can provide adequate channel separation.. 40mhz wireless on 2.4ghz works poorly anyway because you have too much wifi .. there is very limited number of non-overlapping channels.. ie 3. 11, 6 and 1.

• ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry

  I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
  5505
  ethe0/0
  desc To LA ISP (217.34.122.1)
  switchport access vlan2
  ethe0/1
  desc To Redwood City HQ via VPN Tunnel
  switchport access vlan1
  ethe0/2
  desc To Internal Web Server
  switchport access vlan3
  VLAN1
  desc Tunnel to HQ
  ifinterface Tunnel
  security level 1
  217.34.122.3 255.255.255.248
  VLAN3
  desc Internal Web Server
  ifinterface inside
  security level 100
  192.168.0.1 255.255.255.0
  access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
  (No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
  route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
  crypto map TO-HQ 10 match address LosAngeles
  crypto map TO-HQ set peer ip 65.29.211.198
  5510 at HQ
  access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
  (again no access-group, since I have a couple other off sites)
  crypto map TO-LA 20 match address LA
  crypto map TO-LA 20 set peer ip 217.34.122.3

  Hi Jouni,
  I have the following configs in place with fake IPs
  5505
  1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
  1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
  1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
  access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
  route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
  route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
  crypto map  TO-HQ 10 match address LosAngeles
  crypto map TO-HQ 10 set peer ip 65.29.211.198
  tunnel-group 65.29.211.198 type ipsec-l2l
  5510
  1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
  1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
  access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
  access-group OUTBOUND in interface outside
  nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
  route outside 192.168.0.0 255.255.255.0 217.33.122.6
  crypto map TO-LA 20 match address LA
  crypto map TO-LA 20 set peer ip 217.33.122.6
  tunnel-group 217.33.122.6 type ipsec-l2l
  I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside.

• Cisco asa 5505 vpn issue

  I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

  Post the config of your ASA and someone will be able to assist.

• Authorization issue - help request

  Hi guys,
  One of the consultants is having an authorization issue ( He is not abele to run a t-code)
  I ask him to run a su53 report and i am not sure how to proceed with this.
  Please help.
  Here are the details from the SU53 report.
  DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
  User : VYXXX                       profile parameter authorization buffering    4
  Authorization Object: F_KNA1_GRP
  Description
  Authorization check failed:
        + Authorization object F_KNA1_GRP Customer Account Group Authorization
              Activity                                08
              Customer Account Group     ZM01
  Users Authorization Data :
        +  Authorization object F_KNA1_GRP Customer Account Group Authorization
                 Authorization  T-PD19002300
                Authorization  T-UG39000900
                Authorization  T-UG39001000
  Please help me guys what need to  be performed.
  Regards,
  Vamsi.

  Hi Vamsi,
  SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
  Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
  Then check-> which auth object is failing.
  RC=4 means a object value is failing.
  RC=12 means an object is missing!
  Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
  You can check the SAP documentation on running traces on the help portal of SAP.  I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
  Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
  Let me know if you have any questions
  EOD for me :P . take care
  Abhishek

• Find and Replace Issue Help Requested.

  Hi all. I've been digging around for a couple of days and
  can't seem to figure this one out. For starters, I have already
  looked at the Regular Expression syntax and tried the MS word
  clean-up option, but no luck. We have about 1,500 pages of content.
  They are in DNN, so the pages are created dynamically.
  Unfortunately, the page content was written in Word and then dumped
  in DNN. We are trying to clean up the pages. We are grabbing the
  content from Dot Net Nuke and putting it into Dreamweaver 8.0.2.
  Then we are manually cleaning out things like:
  <?xml:namespace prefix = o ns =
  "urn:schemas-microsoft-com:office:office" />
  and
  <P class=MsoNormal style="MARGIN: 0in 0in 0pt"
  align=left>
  We are using the Find and Replace funtion in Dreamweaver to
  clean out these commands, but I know from the documentation, there
  is an easier way to clean these pages.
  Bottom Line: Since the pages are dynamically built, I know I
  have to grab the page content and put it in Dreamweaver manually
  and then put it back in DNN, but I am trying to find a way (using
  Regular Expressions or something) to look for all the little
  variances of MSO, <?XML, etc. in a straight shot. I would like
  to find a way to use a wild card to look for all tags that have MSO
  or Microsoft or ?XML in them and then replace them with a null
  value. From what I can tell, the Find would have to use a wildcard
  because the advanced find features don't carry what I am looking
  for. Something like Find \<?xml * [<-wildcard] to \> to
  grab the entire tag. The Find tag command doesn't work because the
  tags I need aren't listed. Also, because the content is dynamic, I
  can't do a Fins and Replace against the entire site for these
  commands, but it would be nice to "Find" all of these items with a
  single pass since the "Replace" value is always null.
  The wildcard syntax and multiple Find instances are the main
  questions. The wildcards seem to be character or space specific.
  Sorry for the long explanation - I just don't want to waste
  anyone's time typing responses to things I've already tried to do.
  Thanks in advance for any help. This is my first time back in
  the forums in about 4 years.

  sadamec1 wrote:
  > Well David, you Findmaster - it worked! (At least it
  found and highlighted the
  > code). Now, I need to dig through what you sent me and
  compare it against my
  > regular expression definitions to find out how to grab
  the rest of these
  > phrases. You're the best. Thank you!
  Glad that it did the trick. Just to help you understand what
  I did,
  there are two main sections, as follows:
  <\?xml[^>]+>
  and
  <[^>]+(?=class=Mso)[^>]+>
  They are separated by a vertical pipe (|), so they simply act
  as
  alternatives.
  The first one searches for <?xml followed by anything
  except a closing
  bracket until it reaches the first closing bracket.
  The second one is more complex. It begins with this:
  <[^>]+
  This simply looks for an opening bracket followed by anything
  other than
  a closing bracket. What makes it more intelligent is the next
  bit:
  (?=class=Mso)
  This does a forward search for "class=Mso". It's then
  followed by this
  again:
  [^>]+>
  That finds anything except a closing bracket followed by a
  closing bracket.
  The bit that you need to experiment with is (?=...). It's
  technically
  called a "forward lookaround". The effect is that the second
  half of the
  regex finds <....class=Mso....>.
  David Powers
  Adobe Community Expert
  Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
  http://foundationphp.com/

• Processor's Speed issue, help!

  I have an iMac and in my "About this Mac" it says 3.4Ghz i7, however, in the System info it says i5 2.5 Ghz? Same is the case with the graphics card. Nvidia in about this Mac and Radeon in System info. Help!

  Your ram should work perfectly fine. Just load high performance settings in the Bios. That would optimize the memory timings at a more tweaked setting. If you get no post or BSOD in windows then just set back to Bios Defaults.
  I ran CAS2 with my Crucial PC2100 @ 165fsb no problems. If your ram is rated higher its no reason that your memory wouldn't be able to reach the lower timings. Its just not recommended or guaranteed 100% stability.
  Rob

• Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

  Dear All,
                       I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
  Thanks
  Vijay

  Hi Vijay,
  If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
  HTH,

• ASA 5505 9.1 and NAT issues to single dynamic IP

  Good afternoon everybody, 
  a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
  Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP). 
  As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
  In the same time, the consolle connection shows these two messages :
  Asa5505# ERROR: NAT unable to reserve ports.
  ERROR: NAT unable to reserve ports.
  I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
  This is the configuration file, I  have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
  Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
  ASA Version 9.1(5) 
  hostname Asa5505
  domain-name home
  enable password XXXXXX encrypted
  names
  interface Ethernet0/0
   description ADSLPPoE
   switchport access vlan 2
  interface Ethernet0/1
   description Internal_LAN
  interface Ethernet0/2
   description Management_Net 
   switchport access vlan 3
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   description Uplink
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/6
   description Wireless-POE
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/7
   description Webcam-POE 
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.250 255.255.255.0 
  interface Vlan2
   nameif outside
   security-level 0
   pppoe client vpdn group AliceADSL
   ip address pppoe setroute 
  interface Vlan3
   no forward interface Vlan1
   nameif management
   security-level 100
   ip address 10.5.1.250 255.255.255.0 
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
   name-server 192.168.1.4
   domain-name home
  object network Exchange-HTTPS
   host 192.168.1.150
  object network Exchange-SMTP
   host 192.168.1.150
  object network Network_Inside
   subnet 192.168.1.0 255.255.255.0
  object network Network_Management
   subnet 10.5.1.0 255.255.255.0
  access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https 
  access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp 
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu outside 1492
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network Exchange-HTTPS
   nat (inside,outside) static interface service tcp https https 
  object network Exchange-SMTP
   nat (inside,outside) static interface service tcp smtp smtp 
  object network Network_Inside
   nat (inside,outside) dynamic interface
  object network Network_Management
   nat (management,outside) dynamic interface
  access-group Outside_ACL in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 8080
  http 10.5.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access management
  vpdn group AliceADSL request dialout pppoe
  vpdn group AliceADSL localname aliceadsl
  vpdn group AliceADSL ppp authentication pap
  vpdn username aliceadsl password ***** store-local
  dhcpd address 192.168.1.100-192.168.1.130 inside
  dhcpd dns 192.168.1.4 192.168.1.150 interface inside
  dhcpd wins 192.168.1.4 interface inside
  dhcpd enable inside
  dhcpd address 10.5.1.30-10.5.1.40 management
  dhcpd dns 208.67.222.222 208.67.220.220 interface management
  dhcpd enable management
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   port 10443
   anyconnect-essentials
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect ip-options 
    inspect netbios 
    inspect rsh 
    inspect rtsp 
    inspect skinny  
    inspect esmtp 
    inspect sqlnet 
    inspect sunrpc 
    inspect tftp 
    inspect sip  
    inspect xdmcp 
  service-policy global_policy global
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:XXXXXXXX
  : end
  no asdm history enable
  Thanks in advance for your precious help !
  C.

  Update 29th of June :
  Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
  I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
  Two brief questions :
  1) in my NAT statements for PAT, does it change anything if I modify them (for example) from 
  nat (inside,outside) static interface service tcp https https
  to
  nat (inside,outside) dynamic interface service tcp https https 
  ? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
  2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
  Thank you for your precious help and patience !
  C.

• Cisco asa 5505 issues ( ROUTING AND PAT)

  I have some issues with my cisco asa 5505 config. Please see details below:
  NETWORK SETUP:
  gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
  ISSUES:
  1)
  no route from DMZ to outside
  example:
  ping from 172.16.3201 to the gateway
  6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
  2)
  not working access from external to DMZ AT ALL
  ASA DETAILS:
  cisco asa5505
  Device license          Base
  Maximum Physical Interfaces          8          perpetual
  VLANs          3      DMZ Restricted
  Inside Hosts          Unlimited          perpetual
  configuration:
  firewall200(config)# show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd XXXXXXXXXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network office1-int
  host 172.16.2.1
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any object web2-ext eq www
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500 
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext service tcp www www
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
  route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 172.16.2.10-172.16.2.10 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
  : end

  Thank you one more time for everthing. It is workingin indeed
  Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
  show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxxxxxxxxxx encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup inside
  dns domain-lookup DMZ
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
  access-list outside_access_in extended permit tcp any object web2-int eq www
  access-list outside_access_in extended permit tcp any object web2-int eq ssh
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any DMZ
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext net-to-net
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.16.3.253 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
  : end