Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
6
Replies

security levels and performance

boondocker
Level 1
Level 1

‎03-30-2007 06:42 AM - edited ‎03-11-2019 02:54 AM

On a pix 515e ver. 7.0, I've set security levels between the inside and the dmz to 100. Is there anything else I should consider to allow unrestricted access between these two interfaces, I'm experiencing traffic delays from inside to dmz but not from dmz to inside.

Labels:
0 Helpful
6 Replies 6

David White
Cisco Employee
Cisco Employee

‎03-30-2007 06:58 AM

Didn't you post the same question yesterday in the thread titled, "Slow traffic from inside to DMZ"?

After fixing your speed/duplex issues if the problem persists you need to use the capture feature on the PIX to capture the packets so we can see what is causing the slowdown.

Also, you don't need to set the interfaces to the same security level - unless you just want to). Since you most likely upgraded from 6.x to 7.x, if you are not using statics, or nat 0, then you need to disable nat-control by issuing the command "no nat-control".

David.

0 Helpful

boondocker
Level 1
Level 1
In response to David White

‎03-30-2007 07:08 AM

David,

I did publish the packet capture but got no response (figured the results were a non-issue). I'm not using NAT between the inside and dmz although I am using NAT between the outside and the dmz.

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to boondocker

‎03-30-2007 07:42 AM

Hi Boondocker,

I just checked again on the other thread, and I don't see the captures. Can you attach them to this thread?

Note: I am assuming you know how to capture the packets on the PIX. Please make sure you create two seperate captures, one on the DMZ interface, and one on the Inside - using an ACL to limit the traffic to be captured to just the two IPs doing the transfer. Then do your test, then upload the two capture files in pcap format so we can have a look.

If you need help with capture, please let us know.

Thanks,

David.

0 Helpful

boondocker
Level 1
Level 1
In response to David White

‎03-30-2007 08:20 AM

If you could help me out with the commands it would get me started. thx

0 Helpful

David White
Cisco Employee
Cisco Employee
In response to boondocker

‎03-30-2007 08:43 AM

- Assuming interfaces named inside and dmz

- Assuming IP of host on DMZ is 10.1.1.2

- Assuming IP of host on inside is 192.1.1.2

Given the above, if you are not translating the inside host when it goes to the dmz, then you only need one ACL to match the traffic you want to capture:

access-list cap permit ip host 10.1.1.2 host 192.1.1.2

access-list cap permit ip host 192.1.1.2 host 10.1.1.2

It has two entries to capture both directions of traffic. Next, you create the captures - one on each interface:

capture dmz int dmz access-list cap packet-l 1500

capture in int inside access-list cap packet-l 1500

Once applied, initiate the transfer. The default buffer on the captures is 512 bytes (this can be changed using the 'buffer' option).

To pull the captures off the pix, you can use the copy command to do it via TFTP, or you can use HTTPS to pull them off.

copy /pcap capture:dmz tftp:///

Then reapeat for the inside capture as well.

Or, you can use https to pull them off:

https:///capture/dmz/pcap

https:///capture/in/pcap

once pulled off, just upload - or you can look at them yourself in ethereal/wireshark.

David.

0 Helpful

boondocker
Level 1
Level 1
In response to David White

‎04-18-2007 06:42 AM

Thanks for all the suggestions, I set my DMZ switch to a different VLAN then the inside and it fixed the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card