Firewall Wizards mailing list archives
Re: Cisco VPN client is slow behind new PIX
From: Chris Myers <clmmacunix () charter net>
Date: Wed, 27 Feb 2008 20:34:02 -0600
Just a stab in the dark without having more information, but was probably embryonic connections and tables cleared and as the new connections and tables were established speed increased without inspection.
Thank You, Chris Myers clmmacunix () charter net John 1:17For the Law was given through Moses; grace and truth were realized through Jesus Christ.
Go Vols!!!! On Feb 26, 2008, at 7:10 PM, Darren Maskowitz wrote:
I turned off the netbios inspection, and the users reported no change, however a couple hours after that change they come asking what i had done because the speed had increased 10 fold. I hadn't touched the configuration since removing the NetBios inspection and there is no one else here that knows how to change the config. I want to say that this change fixed it; and I'm not sure i want to know why it took a couple hours. If it was something on our client's side then it is highly unlikely that it would coincide so closely with the changes here, and that there would be no notification that the changes were taking place. Thanks for the help ^_^ Darren On 2/25/08, Victor Williams <vbwilliams () neb rr com> wrote:What are the hosts primarily? Windows? If so, that "inspect netbios"line will probably be the source of your slowdown. Darren Maskowitz wrote:I recently replaced the gateway at my workplace, we had a Cisco 1721 and upgraded to a Cisco PIX 515E. After the change my coworkers reported that their connection over Cisco VPN client was less than half the speed it was before the change. All the ACL rules that were on the 1721 were brought over to the PIX. The connection is from our office through the PIX to one of ourclients. We don't use NAT here, as we have a full Class C IP address.Here's a sanitized excerpt from the PIX config. ! NAT Exemption Rule access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any nat (inside) 0 access-list EXEMPT nat (outside) 0 access-list EXEMPT ! Excerpt of inbound Rules access-list 101 extended permit gre any any access-list 101 extended permit tcp any any eq pptp access-list 101 extended permit udp any any eq isakmp access-list 101 extended permit ah any any access-list 101 extended permit esp any any access-list 101 extended permit 46 any any ! Excerpt from outbound rules access-list 100 extended deny ip host 255.255.255.255 any access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any ! Allow Proxy server web access access-list 100 extended permit tcp host x.x.x.x any eq www !Deny everyone access to the web without proxy access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www !Allow all other traffic out access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any access-list 100 extended permit udp x.x.x.0 255.255.255.0 any access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any access-list 100 extended permit ip x.x.x.0 255.255.255.0 any ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp Thanks, Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 25)
- Re: Cisco VPN client is slow behind new PIX Victor Williams (Feb 25)
- Re: Cisco VPN client is slow behind new PIX Robert MacDonald (Feb 26)
- Re: Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 27)
- Re: Cisco VPN client is slow behind new PIX Chris Myers (Feb 29)
- Re: Cisco VPN client is slow behind new PIX Phil Van Cleave (Feb 26)
- Re: Cisco VPN client is slow behind new PIX Pete Capelli (Feb 26)
- Re: Cisco VPN client is slow behind new PIX shadow floating (Feb 29)
- Re: Cisco VPN client is slow behind new PIX Victor Williams (Feb 25)