cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
240
Views
0
Helpful
1
Replies

Slightly different PIX throughput problem

terminalLv
Level 1
Level 1

I am having 2 dissimilar problems with my Pix501 firewall, though I think they might be related. The first problem seems to be a straightforward configuration problem, though I can’t see what it is. The second seems a bit unusual.

Problem 1 –

I have 3 machines behind my firewall. 192.168.1.2, 192.168.1.4, and 192.168.1.6. These are statically routed to XXX.XXX.XXX.132, XXX.XXX.XXX.134, and XXX.XXX.XXX.136.

Here are my firewall requirements:

192.168.1.2 and 192.168.1.4: www, https, vnc (5900), and remote desktop

192.168.1.6: ftp, CVS server (2401), and vnc (5900)

Machines 192.168.1.2 and 192.168.1.4 are configured and operating properly. The appropriate applications can hit them from the outsite world, and they can see the outside world fine (though with the bandwidth limitation addressed below).

Machine 192.168.1.6 has no external access. Internally I can use all the ports (meaning I can ftp 192.168.1.6 from other machines behind the firewall, or use VNC to it from behind the firewall), but not from the outside world. Also, 192.168.1.6 has no access to the internet from inside. These access problems with 192.168.1.6 are recent, caused by something I did while investigating problem #2 below. Prior to those changes, I had full access to machine 192.168.1.6.

I’m sure someone with only a little more Cisco expertise than I have can look at my config and resolve this problem. Thanks in advance for your help.

Problem 2 –

And now it gets squirrelly, at least with XXX.XXX.XXX.136.

Here is the initial problem I was chasing before I broke all access. Whichever computer is NATd to external address XXX.XXX.XXX.136 gets the maximum bandwidth provided from our ISP (6+ Mbs). The other two get a maximum of about 300Kbps (according to a bandwidth test on 2Wire.com). Internal IPs didn’t seem to matter. Any internal IP or hardware would get the maximum bandwidth if the static route mapped to XXX.XXX.XXX.136.

If I put any of our machines outside the firewall, they got the maximum bandwidth from the ISP, as expected. IP did not matter at this point.

Now the current situation is no machine gets the maximum bandwidth (since XXX.XXX.XXX.136 currently has no access to the internet), and 132 and 134 still get the reduced bandwidth.

Based on a significant amount of testing various scenarios, I am convinced that the bandwidth problems being experienced are due to an improper configuration of the firewall. However, I cannot find anything in the configuration that points to why the XXX.XXX.XXX.136 configuration would allow the machine connected to experience much greater bandwidth than the same machine if connected to XXX.XXX.XXX.132 or XXX.XXX.XXX.134.

Do these symptoms sound familiar to anyone? I have been unable to identify anything in the firewall config that can cause something like this, but I’m hoping someone else can.

Here is the configuration. Thanks again for any assistance.

rj

1 Reply 1

b.hsu
Level 5
Level 5

When trying to download files with FTP or access external sites on the worldwide web from behind the PIX Firewall, network users may experience poor or intermittent performance. This can occur because host IP addresses in the global pool (or internal host IP addresses, if you are using Network Address Translation [NAT] 0) are not properly registered in the Domain Name System (DNS).

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: