?
Solved

Incresae bandwitdh on Cisco PIX firewall.

Posted on 2005-04-25
18
Medium Priority
?
257 Views
Last Modified: 2013-11-16
I just had this new CISCO 506E PIX firewall and noticing my bandwidth via HTTP is slower then it used to be.  My ISP says they havn't throttled me back or changed anything.  They suggested that I increase my firewall settings from "Medium" or that my firewall might not be allowing full through-put or something.  Didnt' make sense, but last week I was downloading a 300MB file at 230KB/sec now it starts at 200 and instantly drops down to like 80KB/sec no matter what I do.  No changes other then the firewall.  FTP seems to be faster.  Is there a command or something I can change in the PIX? I need the actual commands as I'm not good with PIX.
0
Comment
Question by:fredmastro
  • 11
  • 7
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13862790
the only thing that you can do is verify the speed/duplex settings of both the outside and inside interfaces.
Can you post results of
firewall#show interface
Error counts will point to possible issues.
If there are no error counts, then it could be that we need to permit icmp so that the client can use PMTUD properly.
Also try using DrTCP utility to change the max MTU on the client to something like 1300 vs the default 1500
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13868564
I'll try this out tonight, sorry for delay, yesterday was hectic.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13868575
Oh yeah Computer already had DrTCP run on it, and it used to download at 200+kb/sec

"we need to permit icmp "

How?

"client can use PMTUD properly"

What's PMTUD?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 79

Expert Comment

by:lrmoore
ID: 13868761
PMTUD = Path MTU Discovery

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/path_mtu_discovery.asp

We can allow ICMP unreachables on the outside PIX access-list, but I think you already do that:

  access-list inbound permit icmp any any unreachable

That leads back to errors on the interfaces. Can you post result of 'show interface'
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13871963
Ok Show Interface...
-----------------------------------

interface ethernet0 "outside" is up, line protocol is up                        
  Hardware is i82559 ethernet, address is 0011.937e.02a4
  IP address 68.238.170.74, subnet mask 255.0.0.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        102777 packets input, 27781878 bytes, 0 no buffer
        Received 40 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        101856 packets output, 94708549 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/4)
        output queue (curr/max blocks): hardware (0/15) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0011.937e.02a5
  IP address 10.1.0.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        106498 packets input, 95503087 bytes, 0 no buffer
        Received 4100 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        79717 packets output, 26441505 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/15)
        output queue (curr/max blocks): hardware (0/21) software (0/1)
------------------------------------------------------------

That command:

gateway(config)# access-list inbound permit icmp any any unreachable
ACE not added. Possible duplicate entry

any help?
<--- More --->
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13871974
Well, shucks...
No errors of any kind on either interface...
ICMP is aready allowed.....

Only thing I can see is that you still need to fix the subnet mask on the outside interface:
 > IP address 68.238.170.74, subnet mask 255.0.0.0
Should be at least 255.255.255.0
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13872181
really? how?  ip address outside 68.238.170.74 255.255.255.0 ???
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 13873025
Yes, exactly...
pix(config)#ip address outside 68.238.170.74 255.255.255.0

0
 
LVL 2

Author Comment

by:fredmastro
ID: 13874709
Hmm, after I typed that I typed write mem.

But now I can't access anything anymore from the outside. Meaning, can't hit websites anymore.

interface ethernet0 "outside" is up, line protocol is up                                                        
  Hardware is i82559 ethernet, address is 0011.937e.02a4                                                        
  IP address 68.238.170.64, subnet mask 255.255.255.0                          
  MTU 1500 bytes, BW 100000 Kbit full duplex
        123924 packets input, 36549908 bytes, 0 no buffer
        Received 46 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        120612 packets output, 107478212 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/4)
        output queue (curr/max blocks): hardware (0/15) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0011.937e.02a5
  IP address 10.1.0.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        126239 packets input, 108414389 bytes, 0 no buffer
        Received 5206 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        96402 packets output, 34779084 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/15)
        output queue (curr/max blocks): hardware (0/21) software (0/1)


oh now I can't get out either sheesh. now what do I do? How do I get it back?

0
 
LVL 2

Author Comment

by:fredmastro
ID: 13874713
I ecen tried changing it back and applying the access-group again, still no traffic in/out anymore.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13874779
>pix(config)#ip address outside 68.238.170.74 255.255.255.0
Do that again, don't change anything else. Save the config and reboot the PIX..pwer it down completely. Wait 2 minutes, power it back up.

0
 
LVL 2

Author Comment

by:fredmastro
ID: 13874917
Ok did that, still no luck.

I did notice on reboot it has some errors.

can't copy paste, but it says...

read-address conflict with exisiting static

tcp from inside 10.1.0.201/25 to outside:68.238.170.64/25 netmask....
tcp from inside 10.1.0.201/110 to outside:68.238.170.65/110 netmask....

tcp from inside 10.1.0.201/143 to outside:68.238.170.65/143 netmask....


those are ones I tried to add a couple days ago.  except the 25 one.

GUI shows some of the rules a Null.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13875000
OK, I'm confused now... we had .170.74 and 170.75

Now you're trying to put .64 on the interface
>IP address 68.238.170.64, subnet mask 255.255.255.0    

Put .74 back on the interface....

Looking back at the last working config in your last Q, i don't see any .64 or .65 in there anywhere..
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13875037
@!#$%!$#!@!$!@$###!#$!!&!#@!#!&@!!!!!!!

dammit you are right wtf is wrong with me.

Now I've screwed up all my settings! Argh!  Increasing points for my stupidity! Dammit now I have to figure out how to get it all back the way it was.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13875069
dammit and I have to leave for work in a few min. wish someone would buy this thing off me. already tried putting it up on ebay.  so I can get something else I can maintain.

stuff on .74 seems to work but that's it. no dns resolutions, no web on the other ports or https. man this sucks.
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13875414
damn I guess DNS itsn't working.  Want me to close this ? and open a new one?
0
 
LVL 2

Author Comment

by:fredmastro
ID: 13881352
Ok thanks to your code from the other site I was able to bring it back to how you had it and add in my own changes.  Finally.

Even though now I'm going to sell this thing I can't Admin it the way I thought.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13881615
>I can't Admin it the way I thought
It's not that hard once you get it running. It just takes some getting used to. I can do PIX in my sleep, so for me it's just second nature. I fully understand that it ain't for everyone. The GUI leaves a LOT to be desired...

I hope you get a good price for it!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 23 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question