Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Cisco VPN client is slow behind new PIX

Re: Cisco VPN client is slow behind new PIX

From: Victor Williams <vbwilliams_at_neb.rr.com>
Date: Mon, 25 Feb 2008 19:24:09 -0600

What are the hosts primarily? Windows? If so, that "inspect netbios"
line will probably be the source of your slowdown.

Darren Maskowitz wrote:
> I recently replaced the gateway at my workplace, we had a Cisco 1721
> and upgraded to a Cisco PIX 515E.
> After the change my coworkers reported that their connection over
> Cisco VPN client was less than half the speed it was before the
> change. All the ACL rules that were on the 1721 were brought over to
> the PIX.
>
> The connection is from our office through the PIX to one of our
> clients. We don't use NAT here, as we have a full Class C IP address.
> Here's a sanitized excerpt from the PIX config.
>
> ! NAT Exemption Rule
> access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any
> nat (inside) 0 access-list EXEMPT
> nat (outside) 0 access-list EXEMPT
>
> ! Excerpt of inbound Rules
> access-list 101 extended permit gre any any
> access-list 101 extended permit tcp any any eq pptp
> access-list 101 extended permit udp any any eq isakmp
> access-list 101 extended permit ah any any
> access-list 101 extended permit esp any any
> access-list 101 extended permit 46 any any
>
> ! Excerpt from outbound rules
> access-list 100 extended deny ip host 255.255.255.255 any
> access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any
> ! Allow Proxy server web access
> access-list 100 extended permit tcp host x.x.x.x any eq www
> !Deny everyone access to the web without proxy
> access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www
> !Allow all other traffic out
> access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit udp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any
> access-list 100 extended permit ip x.x.x.0 255.255.255.0 any
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect netbios
> inspect tftp
>
> Thanks,
> Darren
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 25 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]