Multiple Public IP's on ASA 5520

Similar Messages

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• ASA 5520 with multiple contexts becomes unresponsive

  Hi all. We have encountered a perculiar problem with a pair of our ASA 5520 firewalls with 2 contexts(each context being active on different ASA). What we are seeing is that sometimes when we have a sudden increase of inbound traffic(mostly HTTP) towards servers behind the firewalls they seem to go bananas for the lack of a better expression.
  They become unaccessible via ssh and the traffic drops significantly. The problem is mitigated by disabling one of the monitored interfaces for failover(on one of the switches the firewall is connected to) so that both contexts become active on one firewall. After that the firewalls seem to come to their senses and we can enable the switch interface again but sometimes one of the pair needs to be rebooted to restore full funcionality.
  To us it seems like there is a problem with failover and contexts but we haven't been able to pin it down. The failover link isn't stateful and when we tested the failover it works fine both ways with each ASA taking up the full load when the other ASA of the pair is not available.
  Did anyone come across a similar situation with their firewalls?

  We are using ASA version 8.2(5).
  The configuration of the failover is:
  failover
  failover lan unit primary
  failover lan interface fail_int GigabitEthernet0/3
  failover interface ip fail_int x.x.x.x 255.255.255.252 standby x.x.x.x
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  Output of the "show failover":
    This host:    Primary
    Group 1       State:          Active
                  Active time:    399409 (sec)
    Group 2       State:          Standby Ready
                  Active time:    111 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    398992 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  When I disabled the monitored interface it was always the same interface altough I believe the same effect could be achieved with disabling any of the monitored interfaces.
  As for memory and CPU when it happens I cannot access the units to get a reading but I asume it's through the roof. 
  The thing that troubles me more is that the situation persists when the load drops and I have to perform the solution from the first post. One would assume that with the drop of the load that both firewalls would start to behave normally.
  And I see that I haven't mentioned it before but when the load drops both units continue to handle traffic normally but I sometimes see as a side effect that I cannot SSH to one of the units. That unit usually has to be restarted.

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Cisco ASA 5520 (asa 8.2) hairpinning

  Hi All,
  We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.
  Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.
  Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.
  So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.
  Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.
  I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.
  Here's a small drawing of the situation:
  The ip-addresses are, of course, not real.
  Can anybody place help me with this issue?

  That's a very cool command that I didn't know about.
  I see that the packet is drop at phase 7 (NAT-EXEMPT).
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: DROP
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x74455b60, priority=6, domain=nat-exempt-reverse, deny=false
          hits=61, user_data=0x744558f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=Cust_B_LAN, mask=255.255.255.240, port=0
          dst ip=Cust_A_LAN, mask=255.255.255.0, port=0, dscp=0x0
  Result:
  input-interface: Cust_B
  input-status: up
  input-line-status: up
  output-interface: Cust_A
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I seemed that I had a nonat rule messing the communication between these interfaces. After removing it, the traffic was flowing just fine.
  Thanks for your support.
  Ron

• ASA 5520 - LU allocate xlate failed - Failover unit reloads

  We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
  Cisco Adaptive Security Appliance Software Version 8.0(5)9
  Device Manager Version 6.0(2)
  Compiled on Mon 01-Feb-10 10:36 by builders
  System image file is "disk0:/asa805-9-k8.bin"
  Config file at boot was "startup-config"
  CP-ASA up 17 days 21 hours
  failover cluster up 17 days 22 hours
  Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   :  CN1000-MC-BOOT-2.00
                               SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.05
  0: Ext: GigabitEthernet0/0  : address is 0025.45d7.6e62, irq 9
  1: Ext: GigabitEthernet0/1  : address is 0025.45d7.6e63, irq 9
  2: Ext: GigabitEthernet0/2  : address is 0025.45d7.6e64, irq 9
  3: Ext: GigabitEthernet0/3  : address is 0025.45d7.6e65, irq 9
  4: Ext: Management0/0       : address is 0025.45d7.6e66, irq 11
  5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
  6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150      
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled  
  VPN-3DES-AES                 : Enabled  
  Security Contexts            : 2        
  GTP/GPRS                     : Disabled 
  VPN Peers                    : 750      
  WebVPN Peers                 : 2        
  AnyConnect for Mobile        : Disabled 
  AnyConnect for Linksys phone : Disabled 
  Advanced Endpoint Assessment : Disabled 
  UC Proxy Sessions            : 2       
  This platform has an ASA 5520 VPN Plus license.
  I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
  nat (public) 0 access-list NO_NAT
  nat (public) 1 10.190.16.64 255.255.255.192
  nat (public) 1 172.16.22.0 255.255.255.0
  nat (dmz) 0 access-list NO_NAT
  nat (dmz) 1 0.0.0.0 0.0.0.0
  nat (csacelb) 0 access-list NO_NAT
  nat (csacelb) 1 0.0.0.0 0.0.0.0
  nat (app) 0 access-list NO_NAT
  nat (app) 1 0.0.0.0 0.0.0.0
  nat (db) 0 access-list NO_NAT
  nat (db) 1 0.0.0.0 0.0.0.0
  nat (internal) 0 access-list NO_NAT
  nat (internal) 1 0.0.0.0 0.0.0.0
  nat (management) 0 access-list NO_NAT
  nat (management) 1 0.0.0.0 0.0.0.0
  no crypto isakmp nat-traversal
  static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
  static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
  static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192

  Do you have any solution ? we have the same problem.
  Thanks .

• ASA 5520 : IP address for CSC SSM

  Hi All,
  I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
  There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
  My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
  Thanks and Regards.
  Sonu

  Hi
  put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
  for EX
  your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
  Hopes this helps
  regs
  S.Mohana sundaram

• How to change VPN peer address on ASA 5520

  Environment:
  ASA 5520 running 7.2(1)
  IPSEC L2L VPN established using Wizard.
  The IP address of the remote peer needs to change. Using ASDM, I cannot change the Tunnel Group name (which is currently the peer address). I can change the peer address in the IPSec rule, but is this all that is needed?
  Do I have to add a new tunnel group using the new peer address for the name? If so how does this relate to the other objects that are required for a VPN?
  When you create a VPN using the Wizard, it creates multiple objects that are hard to track when changes are required. Is it best to delete all of the current VPN objects and create a new config using the wizard again?
  Is it better to make the changes using the CLI? What lines need to be changed for the peer address when using commands?
  Thanks in advance for any help!

  I can change the peer address in the IPSec rule, but is this all that is needed?
  - No, tunnel group name must match peer address.
  Do I have to add a new tunnel group using the new peer address for the name?
  - Yes.
  Is it better to make the changes using the CLI?
  - I would always recommend it, but if you don't know it you have no option.
  Add new tunnel-group with group name as new peer address, same key etc. Add new peer address to peer settings under edit ipsec rule. Then you should be able to remove the old tunnel group. Hope this helps you, been a while since I did it this way.

• VPN clients not able to ping Remote PCs & Servers : ASA 5520

  VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
  Remote ip section : 192.168.1.0/24
  VPN IP Pool : 192.168.5.0/24
  Running Config :
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/2
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   shutdown
   no nameif
   no security-level
   no ip address
   management-only
  passwd z40TgSyhcLKQc3n1 encrypted
  boot system disk0:/asa722-k8.bin
  ftp mode passive
  clock timezone GST 4
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 213.42.20.20
   domain-name default.domain.invalid
  access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
  access-list outtoin extended permit tcp any host 83.111.113.113 eq https
  access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
  access-list outtoin extended permit tcp any host 83.111.113.114 eq https
  access-list outtoin extended permit tcp any host 83.111.113.114 eq www
  access-list outtoin extended permit tcp any host 83.111.113.115 eq https
  access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
  access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
  access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
  92.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
  2.168.5.0 255.255.255.0
  access-list inet_in extended permit icmp any any time-exceeded
  access-list inet_in extended permit icmp any any unreachable
  access-list inet_in extended permit icmp any any echo-reply
  access-list inet_in extended permit icmp any any echo
  pager lines 24
  logging enable
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level errors
  logging recipient-address [email protected] level emergencies
  logging recipient-address [email protected] level errors
  mtu outside 1500
  mtu inside 1500
  ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
  ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
  static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
  access-group inet_in in interface outside
  route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy DfltGrpPolicy attributes
   banner none
   wins-server none
   dns-server none
   dhcp-network-scope none
   vpn-access-hours none
   vpn-simultaneous-logins 10
   vpn-idle-timeout 30
   vpn-session-timeout none
   vpn-filter none
   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
   password-storage disable
   ip-comp disable
   re-xauth disable
   group-lock none
   pfs disable
   ipsec-udp disable
   ipsec-udp-port 10000
   split-tunnel-policy tunnelall
   split-tunnel-network-list none
   default-domain none
   split-dns none
   intercept-dhcp 255.255.255.255 disable
   secure-unit-authentication disable
   user-authentication disable
   user-authentication-idle-timeout 30
   ip-phone-bypass disable
   leap-bypass disable
   nem disable
   backup-servers keep-client-config
   msie-proxy server none
   msie-proxy method no-modify
   msie-proxy except-list none
   msie-proxy local-bypass disable
   nac disable
   nac-sq-period 300
   nac-reval-period 36000
   nac-default-acl none
   address-pools none
   client-firewall none
   client-access-rule none
   webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have no
   been met or due to some specific group policy, you do not have permission to u
  e any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy fualavpn internal
  group-policy fualavpn attributes
   dns-server value 192.168.1.111 192.168.1.100
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value fualavpn_splitTunnelAcl
  username test password I7ZgrgChfw4FV2AW encrypted privilege 0
  username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
  username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
  username Moghazi attributes
   password-storage enable
  username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
  username fualauaq attributes
   password-storage enable
  username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
  username Basher password Djf15nXIJXmayfjY encrypted privilege 0
  username Basher attributes
   password-storage enable
  username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
  username fualafac attributes
   password-storage enable
  username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
  username fualaab attributes
   password-storage enable
  username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
  username fualaadh2 attributes
   password-storage enable
  username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
  username fualaain2 attributes
   password-storage enable
  username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
  username fualafj2 attributes
   password-storage enable
  username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
  username fualakf2 attributes
   password-storage enable
  username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
  username fualaklb attributes
   password-storage enable
  username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
  username fualastr attributes
   password-storage enable
  username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
  username fualauaq2 attributes
   password-storage enable
  username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
  username fualastore attributes
   password-storage enable
  username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
  username fualadhd attributes
   password-storage enable
  username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
  username fualaabi attributes
   password-storage enable
  username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
  username fualaadh attributes
   password-storage enable
  username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
  username fualajuh attributes
   password-storage enable
  username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
  username fualadah attributes
   password-storage enable
  username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
  username fualarak attributes
   password-storage enable
  username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
  username fualasnk attributes
   password-storage enable
  username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
  username rais attributes
   password-storage enable
  username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
  username fualafuj attributes
   password-storage enable
  username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
  username fualamaz attributes
   password-storage enable
  username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
  username fualashj attributes
   password-storage enable
  username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
  username fualabdz attributes
   password-storage enable
  username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
  username fualamam attributes
   password-storage enable
  username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
  username fualaajm attributes
   password-storage enable
  username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
  username fualagrm attributes
   password-storage enable
  username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
  username fualakfn attributes
   password-storage enable
  username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
  username Fualaain attributes
   password-storage enable
  username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
  username John password D9xGV1o/ONPM9YNW encrypted privilege 15
  username John attributes
   password-storage disable
  username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
  username wrkshopuaq attributes
   password-storage enable
  username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
  username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
  username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
  username Faraj attributes
   password-storage enable
  username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
  username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
  username Hameed attributes
   password-storage enable
  username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
  username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
  username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
  username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
  username Riad password iB.miiOF7qMESlCL encrypted privilege 0
  username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
  username Azeem attributes
   password-storage disable
  username Osama password xu66er.7duIVaP79 encrypted privilege 0
  username Osama attributes
   password-storage enable
  username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
  username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
  username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
  username Wissam attributes
   password-storage enable
  username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
  aaa authentication telnet console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.1.4 255.255.255.255 inside
  http 192.168.1.100 255.255.255.255 inside
  http 192.168.1.111 255.255.255.255 inside
  http 192.168.1.200 255.255.255.255 inside
  http 83.111.113.117 255.255.255.255 outside
  http 192.168.1.17 255.255.255.255 inside
  http 192.168.1.16 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  tunnel-group fualavpn type ipsec-ra
  tunnel-group fualavpn type ipsec-ra
  tunnel-group fualavpn general-attributes
   address-pool fualapool
   address-pool VPNPool
   default-group-policy fualavpn
  tunnel-group fualavpn ipsec-attributes
   pre-shared-key *
  tunnel-group fualavpn ppp-attributes
   authentication pap
   authentication ms-chap-v2
   authentication eap-proxy
  telnet 0.0.0.0 0.0.0.0 outside
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:38e41e83465d37f69542355df734db35
  : end

  Hi,
  What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
  Regards,

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• DHCP question on VPN to ASA 5520

  Our VPN uses the Microsoft VPN client to connect to an ASA 5520 running 8.0(3). Clients get address from our internal DHCP server. How do I get the ASA to send the client computer name in the DHCP request, rather the the group name and some number it appends to it? This is an issue for us because those entries show up as "rogue" registrations in DNS, because they don't match our naming structure.

  Make sure if the client is forwarding it's name in the DHCP messages. Parameters can't be added at ASA.

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

  Hi All,
  We are configuring an ASA 5510 for remote VPN users using Any Connect.
  Our question is:
  We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
  Any suggestions on how to best achieve this requirement.
  Regards,

  What are the different groups used for? Are that different companies or just different departments of one company?
  There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
  One "typical" way to configure different VPN-settings for different users is the following:
  You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

• ASA 5520 intervlan routing at low speed

  I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
  ASA Version 8.4(2)
  hostname ***
  domain-name ***
  enable password *** encrypted
  passwd *** encrypted
  multicast-routing
  names
  dns-guard
  interface GigabitEthernet0/0
  nameif DMZ
  security-level 50
  ip address 10.2.5.1 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  no ip address
  interface GigabitEthernet0/1.100
  vlan 100
  nameif Devices
  security-level 100
  ip address 10.2.0.1 255.255.255.0
  interface GigabitEthernet0/1.101
  vlan 101
  nameif Common
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface GigabitEthernet0/1.102
  vlan 102
  nameif Design
  security-level 100
  ip address 10.2.2.1 255.255.255.0
  interface GigabitEthernet0/1.103
  vlan 103
  nameif Ruhlamat
  security-level 90
  ip address 10.2.3.1 255.255.255.0
  interface GigabitEthernet0/2
  no nameif
  security-level 100
  no ip address
  interface GigabitEthernet0/2.10
  vlan 10
  nameif HOLOGR
  security-level 40
  ip address 10.1.2.4 255.255.0.0
  interface GigabitEthernet0/3
  nameif outside
  security-level 0
  ip address ***
  interface Management0/0
  nameif management
  security-level 100
  ip address 172.16.1.1 255.255.255.0
  management-only
  boot system disk0:/asa842-k8.bin
  no ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name ***
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network WWW
  host 10.2.1.6
  object network MAIL
  host 10.2.5.5
  object network TEST
  host 10.2.1.85
  object-group network DM_INLINE_NETWORK_1
  network-object host 10.1.0.88
  network-object host 10.1.6.1
  network-object host 10.1.6.5
  network-object host 10.1.0.57
  network-object 10.2.0.0 255.255.255.0
  network-object host 10.1.6.4
  network-object host 10.1.1.57
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq 2080
  port-object eq pop3
  port-object eq smtp
  object-group network DM_INLINE_NETWORK_6
  network-object host 10.1.4.42
  network-object host 10.1.4.234
  network-object host 10.1.4.175
  network-object host 10.1.4.217
  object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_3
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  network-object host 10.2.1.6
  network-object host 10.2.1.14
  network-object host 10.2.1.91
  object-group network DM_INLINE_NETWORK_4
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  network-object host 10.2.1.6
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq pop3
  port-object eq smtp
  object-group network DM_INLINE_NETWORK_5
  network-object host 10.2.1.14
  network-object host 10.2.1.39
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  network-object host 10.2.1.6
  network-object host 10.2.1.85
  network-object host 10.2.1.31
  network-object host 10.2.1.32
  network-object host 10.2.1.40
  network-object host 10.2.1.55
  network-object host 10.2.1.35
  network-object host 10.2.1.3
  network-object host 10.2.1.2
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq pop3
  port-object eq smtp
  object-group network DM_INLINE_NETWORK_7
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  object-group network DM_INLINE_NETWORK_9
  network-object host 10.2.1.4
  network-object host 10.2.1.3
  object-group network DM_INLINE_NETWORK_2
  network-object host 10.1.1.101
  network-object host 10.1.6.1
  network-object host 10.1.6.4
  network-object host 10.1.6.5
  network-object host 10.1.0.57
  network-object host 10.1.1.57
  object-group network DM_INLINE_NETWORK_10
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  network-object host 10.2.1.3
  network-object host 10.2.1.2
  object-group service DM_INLINE_TCP_4 tcp
  port-object eq pop3
  port-object eq smtp
  object-group network DM_INLINE_NETWORK_12
  network-object host 10.2.0.11
  network-object host 10.2.0.14
  object-group service DM_INLINE_TCP_5 tcp
  port-object eq pop3
  port-object eq smtp
  object-group network DM_INLINE_NETWORK_13
  network-object host 10.2.1.4
  network-object host 10.2.1.5
  object-group network DM_INLINE_NETWORK_14
  network-object host 8.8.4.4
  network-object host 8.8.8.8
  network-object host 10.1.1.1
  object-group network DM_INLINE_NETWORK_15
  network-object host 10.2.1.39
  network-object host 10.2.1.57
  object-group network DM_INLINE_NETWORK_16
  network-object host 10.2.1.14
  network-object host 10.2.1.6
  access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
  access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
  access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
  access-list Common_access_in extended permit icmp any any
  access-list Common_access_in extended permit ip host 10.2.1.76 host ***
  access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
  access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
  access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
  access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
  access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
  access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
  access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
  access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
  access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
  access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
  access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
  access-list HOLOGR_access_in extended permit icmp any any log disable
  access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
  access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
  access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
  access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
  access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
  access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
  access-list test extended permit tcp any host 10.2.5.1 eq telnet
  access-list test extended permit tcp any host 10.2.5.1 eq https
  access-list test extended permit tcp host 10.2.5.1 any eq https
  access-list test extended permit tcp host 10.2.5.1 any eq telnet
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 8192
  logging buffered critical
  logging trap warnings
  logging asdm informational
  logging from-address ***
  logging recipient-address *** level critical
  logging host Common 10.2.1.2
  logging flash-bufferwrap
  logging flash-maximum-allocation 8192
  logging permit-hostdown
  no logging message 106014
  no logging message 313005
  no logging message 313001
  no logging message 106023
  no logging message 305006
  no logging message 733101
  no logging message 733100
  no logging message 304001
  logging message 313001 level critical
  logging message 106023 level errors
  mtu DMZ 1500
  mtu inside 1500
  mtu Devices 1500
  mtu Common 1500
  mtu Design 1500
  mtu Ruhlamat 1500
  mtu HOLOGR 1500
  mtu outside 1500
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any DMZ
  icmp permit any Common
  icmp permit any HOLOGR
  icmp permit any outside
  asdm image disk0:/asdm-645-206.bin
  asdm history enable
  arp timeout 14400
  object network WWW
  nat (Common,outside) static interface service tcp *** ***
  object network MAIL
  nat (DMZ,outside) static interface service tcp smtp smtp
  nat (DMZ,outside) after-auto source dynamic any interface
  nat (Common,outside) after-auto source dynamic any interface
  nat (Devices,outside) after-auto source dynamic any interface
  access-group Common_access_in in interface Common
  access-group Design_access_in in interface Design
  access-group Ruhlamat_access_in in interface Ruhlamat
  access-group HOLOGR_access_in in interface HOLOGR
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 *** 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no user-identity enable
  user-identity default-domain LOCAL
  http server enable
  http 10.2.1.6 255.255.255.255 Common
  snmp-server host Common 10.2.1.6 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp DMZ
  sysopt noproxyarp inside
  sysopt noproxyarp Devices
  sysopt noproxyarp Common
  sysopt noproxyarp Design
  sysopt noproxyarp Ruhlamat
  sysopt noproxyarp HOLOGR
  sysopt noproxyarp outside
  sysopt noproxyarp management
  service resetoutside
  telnet 10.2.1.0 255.255.255.0 Common
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access Common
  dhcprelay setroute Common
  threat-detection basic-threat
  threat-detection scanning-threat
  no threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.2.1.4 source Common prefer
  webvpn
  smtp-server 10.2.5.5
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
  CEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
  : end

  Hi Philip,
  I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
  https://supportforums.cisco.com/docs/DOC-1222
  -Mike