User Manual
TRex 75 / 113
7.3 TRex with ASA 5585
When running TRex aginst ASA 5585, you have to notice following things:
• ASA can’t forward ipv4 options, so there is a need to use --learn-mode 1 (or 3) in case of NAT. In this mode, bidirectional UDP
flows are not supported. --learn-mode 1 support TCP sequence number randomization in both sides of the connection (client
to server and server client). For this to work, TRex must learn the translation of packets from both sides, so this mode reduce
the amount of connections per second TRex can generate (The number is still high enough to test any existing firewall). If you
need higher cps rate, you can use --learn-mode 3. This mode handles sequence number randomization on client→server side
only.
• Latency should be tested using ICMP with --l-pkt-mode 2
7.3.1 ASA 5585 sample configuration
ciscoasa# show running-config
: Saved
:
: Serial Number: JAD194801KX
: Hardware: ASA5585-SSP-10, 6144 MB RAM, CPU Xeon 5500 series 2000 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.56.216.106 255.255.255.0
!
interface TenGigabitEthernet0/8
nameif inside
security-level 100
ip address 15.0.0.1 255.255.255.0
!
interface TenGigabitEthernet0/9
nameif outside
security-level 0
ip address 40.0.0.1 255.255.255.0
!
boot system disk0:/asa952-smp-k8.bin
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 9000
mtu outside 9000
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp outside 40.0.0.2 90e2.baae.87d1
arp inside 15.0.0.2 90e2.baae.87d0
arp timeout 14400