We have main and branch office, and there are about 10 computers in branch office. I like to establish site to site VPN between main and branch office just for authentication of Windows Active Directory and accessing E-mail through MS Outlook.
We purchased Cisco ASA 5505 for branch office as we have already had Cisco PIX 515E and PIX 501 in main office.
We have 100 Mb/s fiber optic backbone for both, main and branch office. In fact, we have two backbone lines in main office and both are 100 Mb/s. The core network of main office is using PIX 515E without PPPoE and another network in main office is using PIX 501 with PPPoE. In Japan, Internet Service Provider normally places the device called ONU (kind of modem) and CTU (kind of router) before the firewall. However, there is no CTU device in both (core and another network) of our main office.
I established the site to site VPN between core and another network in main office by using PIX 515E and PIX 501. Then, I tested Active Directory login and accessing E-mail through MS Outlook from 3 or 4 computers in another network. The result is perfect as there is no delay to login and access to E-mail to servers in core network.
After purchasing ASA 5505, I also replaced PIX 501 with ASA 5505 in another network for testing purpose and established the site to site VPN again. The result is same as before.
Note that there are both ONY and CTU in our branch office. Before placing ASA 5505 in branch office, I have to ask technical person who understand Japanese language to disable functions (DHCP, firewall and PPPoE) in CTU as interface to change the setting of CTU is in Japanese language and I don't understand Japanese language. Due to language barrier, technical person just disable DCHP but not for other functions. After changing DHCP, he can't even connect to CTU to change the setting again. The result is that PPPoE is still initiating from CTU, not from ASA 5505. I can establish site to site VPN between main and branch office successfully. But, when I tried to login from some of computers which are behind ASA 5505 now, login took 3 to 4 minutes and connecting to mail server through MS Outlook at main office took 3 to 4 minutes. The result is very much different with the previous result I got.
I also physically removed CTU from network and start to initiate the PPPoE from ASA 5505 but there is no packet initiating from ASA 5505 according to log of ASA 5505.
My question is that disabling firewall and PPPoE functions at CTU and start initiating PPPoE from ASA 5505 can improve slowness of site to site VPN?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...