Re: [fw-wiz] Cisco VPN client is slow behind new PIX
- From: "shadow floating" <nadengine@xxxxxxxxxxxxxx>
- Date: Fri, 29 Feb 2008 14:19:04 +0200
Hi Darren,
i actually had a problem almost like that but with router with
advanced security features and the router was also doing the vpn
termination job,
it was a good try to monitor the CPU and memory load during vpn
establishment till termination, which revealed that i should upgrate
both the processing power and the memory
may be you need to decrease some of the inspection rules if the
processor can not handle all your vpn connections in addition to the
inspection load
hope that helps
regards,
Nad
On Tue, Feb 26, 2008 at 12:39 AM, Darren Maskowitz <squitz@xxxxxxxxx> wrote:
I recently replaced the gateway at my workplace, we had a Cisco 1721_______________________________________________
and upgraded to a Cisco PIX 515E.
After the change my coworkers reported that their connection over
Cisco VPN client was less than half the speed it was before the
change. All the ACL rules that were on the 1721 were brought over to
the PIX.
The connection is from our office through the PIX to one of our
clients. We don't use NAT here, as we have a full Class C IP address.
Here's a sanitized excerpt from the PIX config.
! NAT Exemption Rule
access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any
nat (inside) 0 access-list EXEMPT
nat (outside) 0 access-list EXEMPT
! Excerpt of inbound Rules
access-list 101 extended permit gre any any
access-list 101 extended permit tcp any any eq pptp
access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit ah any any
access-list 101 extended permit esp any any
access-list 101 extended permit 46 any any
! Excerpt from outbound rules
access-list 100 extended deny ip host 255.255.255.255 any
access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any
! Allow Proxy server web access
access-list 100 extended permit tcp host x.x.x.x any eq www
!Deny everyone access to the web without proxy
access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www
!Allow all other traffic out
access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any
access-list 100 extended permit udp x.x.x.0 255.255.255.0 any
access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any
access-list 100 extended permit ip x.x.x.0 255.255.255.0 any
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
Thanks,
Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: Re: [fw-wiz] Cisco VPN client is slow behind new PIX
- Next by Date: [fw-wiz] need help using AAA server
- Previous by thread: Re: [fw-wiz] Cisco VPN client is slow behind new PIX
- Next by thread: [fw-wiz] need help using AAA server
- Index(es):
Relevant Pages
|
|
