Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet is very slow behind Pix 515E UR

whenever I access the web site which is behind the Pix firewalls, the speed is realy slow.

i bypassed the firewall and accessed the same site and it's fast!.

I checked my settings and made sure all the connected devices are

running at 100 and full duplex, they all are!

I mean why this is happening ... is it because the pix has to inspect each packet !

the Bandwidth from the service provider is 64k.

Any Idea Please.

any ideas?

4 REPLIES
Gold

Re: Internet is very slow behind Pix 515E UR

Hi Ismail,

What's the speed set on the pix interface card? Is it also set as 100 full? Your config should tell you this.

Hope this helps --

New Member

Re: Internet is very slow behind Pix 515E UR

The speed of the Pix is 100 and set as full.

I mean the point maybe somewhere else, in my opinion maybe because of the natting, cause to be honest our service provider gave us private IP addresses and we have inside Private IP addresses also, so I am expecting that they are doing natting from their side (service provider) beside the pix is doing natting also, its like double natting ... maybe this is why the internet slow.. Am I right?

Cisco Employee

Re: Internet is very slow behind Pix 515E UR

Hi Ismail,

What is the version on the PIX? You may want to do 'no natting' on the pix just for testing and see if that makes any difference.

Otherwise, capturing traces on both the outside and the inside interfaces will give you more idea. Is the ISP natting on the outside router?

thanks,

yatin

New Member

Re: Internet is very slow behind Pix 515E UR

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

The Pix version is 6.1 besides this is satellite connection

The internal Address range is 10.10.10.0-10.10.10.254 255.255.0.0

Outside address range is 10.15.9.163-183 255.255.255.224

Default Gateway: 10.15.9.62 255.255.255.224

DNS1: xxx.xxx.62.1

DNS2: xxx.xxx.40.30

Please tell me if I have to do natting in this case and how I can run the pix without natting.

AN# show config

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname AN

domain-name xxx.xxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit icmp any any

access-list acl_in permit udp any any

access-list acl_in permit tcp any any

pager lines 10

logging buffered debugging

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 10.15.9.163 255.255.255.224

ip address inside 10.10.10.85 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 10.15.9.164-10.15.9.180

global (outside) 1 10.15.9.181

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.15.9.163 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxxxxxx

I am sure that the ISP is doing natting in a way or another .

626
Views
0
Helpful
4
Replies
CreatePlease login to create content