security levels and performance

Unanswered Question
Mar 30th, 2007

On a pix 515e ver. 7.0, I've set security levels between the inside and the dmz to 100. Is there anything else I should consider to allow unrestricted access between these two interfaces, I'm experiencing traffic delays from inside to dmz but not from dmz to inside.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
David White Fri, 03/30/2007 - 06:58

Didn't you post the same question yesterday in the thread titled, "Slow traffic from inside to DMZ"?

After fixing your speed/duplex issues if the problem persists you need to use the capture feature on the PIX to capture the packets so we can see what is causing the slowdown.

Also, you don't need to set the interfaces to the same security level - unless you just want to). Since you most likely upgraded from 6.x to 7.x, if you are not using statics, or nat 0, then you need to disable nat-control by issuing the command "no nat-control".


boondocker Fri, 03/30/2007 - 07:08


I did publish the packet capture but got no response (figured the results were a non-issue). I'm not using NAT between the inside and dmz although I am using NAT between the outside and the dmz.

David White Fri, 03/30/2007 - 07:42

Hi Boondocker,

I just checked again on the other thread, and I don't see the captures. Can you attach them to this thread?

Note: I am assuming you know how to capture the packets on the PIX. Please make sure you create two seperate captures, one on the DMZ interface, and one on the Inside - using an ACL to limit the traffic to be captured to just the two IPs doing the transfer. Then do your test, then upload the two capture files in pcap format so we can have a look.

If you need help with capture, please let us know.



boondocker Fri, 03/30/2007 - 08:20

If you could help me out with the commands it would get me started. thx

David White Fri, 03/30/2007 - 08:43

- Assuming interfaces named inside and dmz

- Assuming IP of host on DMZ is

- Assuming IP of host on inside is

Given the above, if you are not translating the inside host when it goes to the dmz, then you only need one ACL to match the traffic you want to capture:

access-list cap permit ip host host

access-list cap permit ip host host

It has two entries to capture both directions of traffic. Next, you create the captures - one on each interface:

capture dmz int dmz access-list cap packet-l 1500

capture in int inside access-list cap packet-l 1500

Once applied, initiate the transfer. The default buffer on the captures is 512 bytes (this can be changed using the 'buffer' option).

To pull the captures off the pix, you can use the copy command to do it via TFTP, or you can use HTTPS to pull them off.

copy /pcap capture:dmz tftp:///

Then reapeat for the inside capture as well.

Or, you can use https to pull them off:



once pulled off, just upload - or you can look at them yourself in ethereal/wireshark.


boondocker Wed, 04/18/2007 - 06:42

Thanks for all the suggestions, I set my DMZ switch to a different VLAN then the inside and it fixed the problem.


This Discussion