Firewall Wizards mailing list archives

Re: Cisco VPN client is slow behind new PIX

From: "Pete Capelli" <pcapelli () gmail com>
Date: Tue, 26 Feb 2008 13:52:14 -0500

FYI; check port speed on the FW and switch.  I've seen new cisco gear
go in at 100/half, and performance really suffers ...

-pete

On Mon, Feb 25, 2008 at 5:39 PM, Darren Maskowitz <squitz () gmail com> wrote:

I recently replaced the gateway at my workplace, we had a Cisco 1721
 and upgraded to a Cisco PIX 515E.
 After the change my coworkers reported that their connection over
 Cisco VPN client was less than half the speed it was before the
 change. All the ACL rules that were on the 1721 were brought over to
 the PIX.

 The connection is from our office through the PIX to one of our
 clients. We don't use NAT here, as we have a full Class C IP address.
 Here's a sanitized excerpt from the PIX config.

 ! NAT Exemption Rule
 access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any
 nat (inside) 0 access-list EXEMPT
 nat (outside) 0 access-list EXEMPT

 ! Excerpt of inbound Rules
 access-list 101 extended permit gre any any
 access-list 101 extended permit tcp any any eq pptp
 access-list 101 extended permit udp any any eq isakmp
 access-list 101 extended permit ah any any
 access-list 101 extended permit esp any any
 access-list 101 extended permit 46 any any

 ! Excerpt from outbound rules
 access-list 100 extended deny ip host 255.255.255.255 any
 access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any
 ! Allow Proxy server web access
 access-list 100 extended permit tcp host x.x.x.x any eq www
 !Deny everyone access to the web without proxy
 access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www
 !Allow all other traffic out
 access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any
 access-list 100 extended permit udp x.x.x.0 255.255.255.0 any
 access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any
 access-list 100 extended permit ip x.x.x.0 255.255.255.0 any
 !
 class-map inspection_default
  match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
 policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp

 Thanks,
 Darren
 _______________________________________________
 firewall-wizards mailing list
 firewall-wizards () listserv icsalabs com
 https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




-- 

Pete Capelli                                              pcapelli () ieee org
http://www.capelli.org                                 PGP Key ID:0x829263B6
"Those who would give up essential liberty for temporary safety deserve neither
liberty nor safety" - Benjamin Franklin, 1759
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 25)
- Re: Cisco VPN client is slow behind new PIX Victor Williams (Feb 25)
  - Re: Cisco VPN client is slow behind new PIX Robert MacDonald (Feb 26)
  - Re: Cisco VPN client is slow behind new PIX Darren Maskowitz (Feb 27)
    - Re: Cisco VPN client is slow behind new PIX Chris Myers (Feb 29)
- Re: Cisco VPN client is slow behind new PIX Phil Van Cleave (Feb 26)
- Re: Cisco VPN client is slow behind new PIX Pete Capelli (Feb 26)
- Re: Cisco VPN client is slow behind new PIX shadow floating (Feb 29)