Skip to main content

PIX 525 performance issue

More
18 years 1 month ago #14069 by eeee
PIX 525 performance issue was created by eeee
I have a PIX 525, I have just put it in production and see throughput issues. I can not get enough outbound connection (100 MB internet connection) that I used to. can anyone see anything that will degrade performance or missing any commands that I need to use.

thanks

PIX Version 7.0(4)
!
hostname pix525
multicast-routing
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 11.27.7.15 255.255.255.224
!
interface Ethernet1
nameif DMZ
security-level 50
ip address 10.18.21.24 255.255.255.0
!
interface Ethernet2
security-level 30
ip address 10.18.16.24 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 11.27.7.18 255.255.255.248
!
pim rp-address 11.27.24.40
ftp mode passive
access-list DMZ2_IN extended permit ip any any
access-list DMZ2_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit igmp any any
access-list OUTSIDE_IN extended permit pim any any
access-list OUTSIDE_IN extended permit esp any any
access-list OUTSIDE_IN extended permit tcp any any
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging facility 22
logging host INSIDE ....
logging host INSIDE ....
mtu OUTSIDE 1500
mtu DMZ 1500
mtu DMZ2 1500
mtu INSIDE 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 2 ....
global (OUTSIDE) 1 ....
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 2 0.0.0.0 0.0.0.0
nat (INSIDE) 0 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 11.27.18.0 11.27.18.0 netmask 255.255.254.0
static (INSIDE,OUTSIDE) 11.27.11.18 11.27.11.18 netmask 255.255.255.
static (INSIDE,OUTSIDE) 11.27.7.12 11.27.7.12 netmask 255.255.255.24
static (INSIDE,OUTSIDE) 10.18.10.0 10.18.10.0 netmask 255.255.255.128
static (INSIDE,OUTSIDE) 10.18.11.0 10.18.11.0 netmask 255.255.255.0
static (INSIDE,OUTSIDE) 10.18.17.0 10.18.17.0 netmask 255.255.255.128
static (INSIDE,OUTSIDE) 10.18.9.0 10.18.9.0 netmask 255.255.255.0
static (INSIDE,OUTSIDE) 10.18.254.0 10.18.254.0 netmask 255.255.255.0
static (INSIDE,OUTSIDE) 10.18.21.0 10.18.21.0 netmask 255.255.255.0
static (INSIDE,OUTSIDE) 10.18.20.0 10.18.20.0 netmask 255.255.255.0
static (INSIDE,OUTSIDE) 10.18.253.0 10.18.253.0 netmask 255.255.255.0
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 131.247.47.190 1
route INSIDE 10.18.253.0 255.255.255.0 11.27.7.13 1
route INSIDE 10.18.21.0 255.255.255.0 11.27.7.13 1
route INSIDE 10.18.20.0 255.255.255.0 11.27.7.13 1
route INSIDE 10.18.254.0 255.255.255.0 11.27.7.13 1
route INSIDE 10.18.10.0 255.255.255.128 11.27.7.13 1
route INSIDE 11.27.11.18 255.255.255.128 11.27.7.13 1
route INSIDE 11.27.18.0 255.255.254.0 11.27.7.13 1
route INSIDE 10.18.11.0 255.255.255.128 11.27.7.13 1
route INSIDE 10.18.17.0 255.255.255.128 11.27.7.13 1
route INSIDE 10.18.9.0 255.255.255.0 11.27.7.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface OUTSIDE
isakmp enable OUTSIDE
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map Voice_ef
description "This class-map matches all dscp ef traffic"
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Voice_cs3
description "This class-map matches all dscp cs3"
match dscp cs3
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map qos
class Voice_ef
priority
class Voice_cs3
priority
!
service-policy global_policy global
priority-queue OUTSIDE
tx-ring-limit 128
priority-queue INSIDE
More
18 years 1 month ago #14088 by havohej
Replied by havohej on topic Re: PIX 525 performance issue
Its is ethernet ports, so be sure there is no duplex or speed mismatch between the pix and the switch it is connected to.

monitor it, by looking at the interface statistics, like crcs??
More
18 years 1 month ago #14091 by eeee
Replied by eeee on topic Re: PIX 525 performance issue
yes, that was it, duplex mismatch. thanks
Time to create page: 0.134 seconds