Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

security levels and performance

On a pix 515e ver. 7.0, I've set security levels between the inside and the dmz to 100. Is there anything else I should consider to allow unrestricted access between these two interfaces, I'm experiencing traffic delays from inside to dmz but not from dmz to inside.

6 REPLIES
Cisco Employee

Re: security levels and performance

Didn't you post the same question yesterday in the thread titled, "Slow traffic from inside to DMZ"?

After fixing your speed/duplex issues if the problem persists you need to use the capture feature on the PIX to capture the packets so we can see what is causing the slowdown.

Also, you don't need to set the interfaces to the same security level - unless you just want to). Since you most likely upgraded from 6.x to 7.x, if you are not using statics, or nat 0, then you need to disable nat-control by issuing the command "no nat-control".

David.

New Member

Re: security levels and performance

David,

I did publish the packet capture but got no response (figured the results were a non-issue). I'm not using NAT between the inside and dmz although I am using NAT between the outside and the dmz.

Cisco Employee

Re: security levels and performance

Hi Boondocker,

I just checked again on the other thread, and I don't see the captures. Can you attach them to this thread?

Note: I am assuming you know how to capture the packets on the PIX. Please make sure you create two seperate captures, one on the DMZ interface, and one on the Inside - using an ACL to limit the traffic to be captured to just the two IPs doing the transfer. Then do your test, then upload the two capture files in pcap format so we can have a look.

If you need help with capture, please let us know.

Thanks,

David.

New Member

Re: security levels and performance

If you could help me out with the commands it would get me started. thx

Cisco Employee

Re: security levels and performance

- Assuming interfaces named inside and dmz

- Assuming IP of host on DMZ is 10.1.1.2

- Assuming IP of host on inside is 192.1.1.2

Given the above, if you are not translating the inside host when it goes to the dmz, then you only need one ACL to match the traffic you want to capture:

access-list cap permit ip host 10.1.1.2 host 192.1.1.2

access-list cap permit ip host 192.1.1.2 host 10.1.1.2

It has two entries to capture both directions of traffic. Next, you create the captures - one on each interface:

capture dmz int dmz access-list cap packet-l 1500

capture in int inside access-list cap packet-l 1500

Once applied, initiate the transfer. The default buffer on the captures is 512 bytes (this can be changed using the 'buffer' option).

To pull the captures off the pix, you can use the copy command to do it via TFTP, or you can use HTTPS to pull them off.

copy /pcap capture:dmz tftp:///

Then reapeat for the inside capture as well.

Or, you can use https to pull them off:

https:///capture/dmz/pcap

https:///capture/in/pcap

once pulled off, just upload - or you can look at them yourself in ethereal/wireshark.

David.

New Member

Re: security levels and performance

Thanks for all the suggestions, I set my DMZ switch to a different VLAN then the inside and it fixed the problem.

131
Views
0
Helpful
6
Replies
CreatePlease to create content