Re: [fw-wiz] Cisco VPN client is slow behind new PIX



Title: Re: [fw-wiz] Cisco VPN client is slow behind new PIX
You don't show what the interface setups are on the switch, PIX
and old 1721. Duplex or MTU may play a role here.
 
What about route entries(is the PIX aimed at the same gateway(s) as
the 1721 was?)
 
How many clients do you have? Is there a router/L3 switch between the
clients and the PIX? If so, then I don't believe the NB would be an issue,
unless it's all going over a GRE tunnel.
 
A quick look through the rules listed, you don't lock down much. Possibly
someone has learned they can use just about any other protocol to bypass
your proxy. By any chance is utilitzation of the circuit higher?

From: Victor Williams
Sent: Mon 2/25/2008 8:24 PM
To: Firewall Wizards Security Mailing List
 
What are the hosts primarily?  Windows?  If so, that "inspect netbios"
line will probably be the source of your slowdown.

Darren Maskowitz wrote:
> I recently replaced the gateway at my workplace, we had a Cisco 1721
> and upgraded to a Cisco PIX 515E.
> After the change my coworkers reported that their connection over
> Cisco VPN client was less than half the speed it was before the
> change. All the ACL rules that were on the 1721 were brought over to
> the PIX.
>
> The connection is from our office through the PIX to one of our
> clients. We don't use NAT here, as we have a full Class C IP address.
> Here's a sanitized excerpt from the PIX config.
>
> ! NAT Exemption Rule
> access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any
> nat (inside) 0 access-list EXEMPT
> nat (outside) 0 access-list EXEMPT
>
> ! Excerpt of inbound Rules
> access-list 101 extended permit gre any any
> access-list 101 extended permit tcp any any eq pptp
> access-list 101 extended permit udp any any eq isakmp
> access-list 101 extended permit ah any any
> access-list 101 extended permit esp any any
> access-list 101 extended permit 46 any any
>
> ! Excerpt from outbound rules
> access-list 100 extended deny ip host 255.255.255.255 any
> access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any
> ! Allow Proxy server web access
> access-list 100 extended permit tcp host x.x.x.x any eq www
> !Deny everyone access to the web without proxy
> access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www
> !Allow all other traffic out
> access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit udp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit ip x.x.x.0 255.255.255.0 any
> !
> class-map inspection_default
>  match default-inspection-traffic
> !
> policy-map type inspect dns preset_dns_map
>  parameters
>   message-length maximum 512
> policy-map global_policy
>  class inspection_default
>   inspect dns preset_dns_map
>   inspect ftp
>   inspect h323 h225
>   inspect h323 ras
>   inspect rsh
>   inspect rtsp
>   inspect sqlnet
>   inspect skinny
>   inspect sunrpc
>   inspect xdmcp
>   inspect netbios
>   inspect tftp
>
> Thanks,
> Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards