I have DMZ int in my PIX515E (6.3). I have SSL webserver connected to it. Webserver feeds fairly large images to users on inside int and outside. I had the same server on my LAN before and the speed is lightning fast. When I move it to DMZ the slowness is horible. Is there a way to judge if I am outgrowing this box or if I have it missconfigured?
the 515e can handle upto 130000 connections and 190mb of throughput, unless you have a massive amount of users connecting to the webserver it is unlikely that the PIX is inundated with traffic. Have you tried the basics, like make sure the webserver NIC is configured for 100/full as well as the switch and dmz ports? As a general rule of thumb you should always set your server and lan equipment NIC's to maximum throughput speeds.
You can also verify pix connections, memory and cpu usage with following commands.
Thank you for your answers. I checked that DMZ int and it was set to auto and it negotiates at 100/full. But the private int was set to 100/half. After changing that to 100/full things are a bit faster. But still not as fast as I would like. Memory usage is 17 out of 32MB. CPU stays at around 7% and I have 47 connections with the highest of 192. This box terminates 3 site-to-site and around 12 RAS VPNs also.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...