I turned off the netbios inspection, and the users reported no change,
however a couple hours after that change they come asking what i had
done because the speed had increased 10 fold. I hadn't touched the
configuration since removing the NetBios inspection and there is no
one else here that knows how to change the config. I want to say that
this change fixed it; and I'm not sure i want to know why it took a
couple hours. If it was something on our client's side then it is
highly unlikely that it would coincide so closely with the changes
here, and that there would be no notification that the changes were
taking place.
Thanks for the help ^_^
Darren
On 2/25/08, Victor Williams <vbwilliams_at_neb.rr.com> wrote:
> What are the hosts primarily? Windows? If so, that "inspect netbios"
> line will probably be the source of your slowdown.
>
> Darren Maskowitz wrote:
> > I recently replaced the gateway at my workplace, we had a Cisco 1721
> > and upgraded to a Cisco PIX 515E.
> > After the change my coworkers reported that their connection over
> > Cisco VPN client was less than half the speed it was before the
> > change. All the ACL rules that were on the 1721 were brought over to
> > the PIX.
> >
> > The connection is from our office through the PIX to one of our
> > clients. We don't use NAT here, as we have a full Class C IP address.
> > Here's a sanitized excerpt from the PIX config.
> >
> > ! NAT Exemption Rule
> > access-list EXEMPT extended permit ip 206.x.x.0 255.255.255.0 any
> > nat (inside) 0 access-list EXEMPT
> > nat (outside) 0 access-list EXEMPT
> >
> > ! Excerpt of inbound Rules
> > access-list 101 extended permit gre any any
> > access-list 101 extended permit tcp any any eq pptp
> > access-list 101 extended permit udp any any eq isakmp
> > access-list 101 extended permit ah any any
> > access-list 101 extended permit esp any any
> > access-list 101 extended permit 46 any any
> >
> > ! Excerpt from outbound rules
> > access-list 100 extended deny ip host 255.255.255.255 any
> > access-list 100 extended deny ip 127.0.0.0 255.0.0.0 any
> > ! Allow Proxy server web access
> > access-list 100 extended permit tcp host x.x.x.x any eq www
> > !Deny everyone access to the web without proxy
> > access-list 100 extended deny tcp x.x.x.0 255.255.255.0 any eq www
> > !Allow all other traffic out
> > access-list 100 extended permit tcp x.x.x.0 255.255.255.0 any
> > access-list 100 extended permit udp x.x.x.0 255.255.255.0 any
> > access-list 100 extended permit icmp x.x.x.0 255.255.255.0 any
> > access-list 100 extended permit ip x.x.x.0 255.255.255.0 any
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map type inspect dns preset_dns_map
> > parameters
> > message-length maximum 512
> > policy-map global_policy
> > class inspection_default
> > inspect dns preset_dns_map
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect netbios
> > inspect tftp
> >
> > Thanks,
> > Darren
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards_at_listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
> >
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 27 2008
Intro
