How to identify is PIX is culprit?

Unanswered Question

I just installed Small Business Server 2003 and am using it for Email (exchange) services. OWA works great inside the network but it is so slow outside the network that I know something is wrong. How can I identify if it is something in the PIX 501 firewall causing the issue? I can't just take the PIX off the T1 since it is doing Network Address Translation. Please give me ideas, I'm working this weekend and desparate to solve the problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 06/16/2007 - 04:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


When you say outside the network do you mean across the Internet or just from the outside of the pix.


Firstly check the speed/duplex of your pix interfaces and the switch ports they are connected into.


Secondly, if you could temporarily allow ip from your source address outside the pix to the SBS and see if that makes a difference. If it does it may be that you need to open additional ports for OWA to work more smoothly.


HTH


Jon

I mean accross the internet. I'm not sure how to just be outside the PIX without being on the internet. I guess I could plug a PC directly to the PIX or something to be outside.


If there was a way to see what the PIX is blocking, perhaps that would clarify the issue.


If I took the PIX out of the configuration, I think I'd have a problem as the PIX is doing address translation.

Jon Marshall Sat, 06/16/2007 - 09:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay, well the Internet is a huge variable in itself so compared to preformance on the LAN it is always going to seem slow.


You don't need to take the pix out of the configuration.


1) Identify your source IP address when you connect across the Internet

2) Add a rule to your pix allowing all ip from that IP address to your SBS server ie.


access-list acl_outside permit ip host "your source address" host "SBS NAT address"


alternatively you can add a rule at the end of your access-list


deny ip any any log


which will show which ports are being blocked but you may be getting so many hits that you can't see much.


Jon

Actions

This Discussion