Firewall Wizards mailing list archives

Re: Cisco VPN client is slow behind new PIX

From: "Phil Van Cleave" <cvp () sprintmail com>
Date: Mon, 25 Feb 2008 23:45:26 -0800

Try upgrading to the latest client version. Have had this problem on the
VPN3015 in the past.

Phil 

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Darren
Maskowitz
Sent: Monday, February 25, 2008 2:39 PM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Cisco VPN client is slow behind new PIX

I recently replaced the gateway at my workplace, we had a Cisco 1721 and
upgraded to a Cisco PIX 515E.
After the change my coworkers reported that their connection over Cisco VPN
client was less than half the speed it was before the change. All the ACL
rules that were on the 1721 were brought over to the PIX.

The connection is from our office through the PIX to one of our clients. We
don't use NAT here, as we have a full Class C IP address.
Here's a sanitized excerpt from the PIX config.

! NAT Exemption Rule
access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any nat
(inside) 0 access-list EXEMPT nat (outside) 0 access-list EXEMPT

! Excerpt of inbound Rules
access-list 101 extended permit gre any any access-list 101 extended permit
tcp any any eq pptp access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit ah any any access-list 101 extended permit
esp any any access-list 101 extended permit 46 any any

! Excerpt from outbound rules
access-list 100 extended deny ip host 255.255.255.255 any access-list 100
extended deny ip 127.0.0.0 255.0.0.0 any ! Allow Proxy server web access
access-list 100 extended permit tcp host x.x.x.x any eq www !Deny everyone
access to the web without proxy access-list 100 extended deny tcp x.x.x.0
255.255.255.0 any eq www !Allow all other traffic out access-list 100
extended permit tcp x.x.x.0 255.255.255.0 any access-list 100 extended
permit udp x.x.x.0 255.255.255.0 any access-list 100 extended permit icmp
x.x.x.0 255.255.255.0 any access-list 100 extended permit ip x.x.x.0
255.255.255.0 any !
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map  parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp

Thanks,
Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 25)
- Re: Cisco VPN client is slow behind new PIX Victor Williams (Feb 25)
  - Re: Cisco VPN client is slow behind new PIX Robert MacDonald (Feb 26)
  - Re: Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 27)
    - Re: Cisco VPN client is slow behind new PIX Chris Myers (Feb 29)
- Re: Cisco VPN client is slow behind new PIX Phil Van Cleave (Feb 26)
- Re: Cisco VPN client is slow behind new PIX Pete Capelli (Feb 26)
- Re: Cisco VPN client is slow behind new PIX shadow floating (Feb 29)