[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

Recommendation for replacing PIX needed

Hi Experts,

PIX 506E is located at the main office (Copenhagen) running on a 6/6Mbit connection. From here we have a site-to-site VPN to our branch office in Stockholm. They are running PIX 501 on a 2/2Mbit connection.
In regards to the performance on the site-to-site were not satisfied.

There is a maximum of 4 users working on the line from Stockholm and apps like Outlook, Excel and copying files is not running at all smoothly. The performance is compared to when users is connecting through the Cisco VPN client.

When my Copenhagen users are working from home, they also use Cisco NPN client and the performance is fair enough.

My supplier recommends that we replace the 506E with Cisco ASA 5505 but is that okay? Also what would you recommend instead of the 501?

Switching to ASA gives me the option to use SSL VPN for my users so they dont need to use classic FTP and webmail. And the throughput on the ASA seems to be able to solve the performance issue.

Can I recycle the code from my 506E/501 or export/convert it to ASA?

Please & any agrees/disagrees with comments are most welcome ;)

Thanks in advance.
/David
0
dsl77
Asked:
dsl77
  • 5
  • 4
1 Solution
 
lrmooreCommented:
ASA5500 series is a very good product.
Yes, it gives you SSL VPN capability and many other VPN options. The ASA combines the best of the PIX and the VPN3000 concentrator, and the GUI is getting better all the time.
The OS is completely different between PIX 6.x and ASA and the configs will not export or convert. You pretty much have to start from scratch, but wizards in the GUI make it pretty painless.
As far as a technology refresh cycle, it makes sense to migrate to the ASA when  your budget allows and it fits in your refresh plans.
I don't know that the performance will be much of an improvement. You can try some things with  your current setup and see if it improves. Try using DES or AES instead of 3DES encryption if that is what you are currently using. Try reducing the MaxMTU size on the servers to 1300 down from the default 1500. The Cisco VPN client usually sets the clients' mtu down to 1300 when you install it, or there is a SetMTU utility that installs with the client. You can also set all clients in the remote office with this utility.
Are you sure your DSL lines are symmetric? 6/6 and 2/2 ?
0
 
dsl77Author Commented:

Hi lrmoore,
Configuration, system properties, interfaces, and change the MT U to 1300 for both inside and outside? And on both PIXs?
I have pasted the config for both PIX , maybe you can see if it looks alright in regards to the site-to-site performance? ;)
I have checked with the ISP and test confirms the speed is there.

501 config  branch office
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname XXX
domain-name XXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.227.0 XXX
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 XXX 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 XXX 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location XXX 255.255.255.0 outside
pdm location XXX 255.255.255.255 outside
pdm location 192.168.227.1 255.255.255.255 inside
pdm location 192.168.227.27 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.22.196.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http XXX 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.1 255.255.255.255 inside
http 192.168.227.27 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer XXX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.227.220 212.242.40.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXX
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

506E config  Main office
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname XXX
domain-name XXX
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 XXX
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list outside_in permit tcp any interface outside eq 4899
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq imap4
access-list outside_in permit tcp 207.126.144.0 255.255.240.0 interface outside eq smtp
access-list 101 permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
access-list 101 permit ip 192.168.227.0 255.255.255.0 XXX 255.255.255.0
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.227.0 255.255.255.0 XXX 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XXX 255.255.255.252
ip address inside 192.168.227.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.228.0 255.255.255.0 outside
pdm location 192.168.227.211 255.255.255.255 inside
pdm location 192.168.227.212 255.255.255.255 inside
pdm location XXX 255.255.255.0 outside
pdm location 192.168.99.0 255.255.255.0 outside
pdm location XXX 255.255.255.255 outside
pdm location 192.168.227.214 255.255.255.255 inside
pdm location 192.168.227.221 255.255.255.255 inside
pdm location 192.168.227.222 255.255.255.255 inside
pdm location 207.126.144.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.222 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.222 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.222 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.222 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 192.168.227.222 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.227.222 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.227.222 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.227.222 imap4 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.227.221 XXX timeout 10
http server enable
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 100 set transform-set myset
crypto dynamic-map outside_dyn_map 10 set transform-set myset
crypto map mymap 40 ipsec-isakmp
crypto map mymap 40 match address outside_cryptomap_40
crypto map mymap 40 set pfs group2
crypto map mymap 40 set peer XXX
crypto map mymap 40 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 3600
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 3600
vpngroup vpn3000 address-pool VPN_Pool
vpngroup vpn3000 dns-server 192.168.227.220 192.168.227.221
vpngroup vpn3000 default-domain XXX
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 7200
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd auto_config outside
terminal width 80
0
 
lrmooreCommented:
Do not change MTU on the PIX itself. Change it on the servers and workstations.

>PIX Version 6.3(3)
>PIX Version 6.3(4)
First thing I would do is upgrade them both to 6.3(5)

You are already using DES which should be the least performance hit.

>access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 XXX 255.255.255.0
I would assume here that the XXX represents 192.168.227.0/24 ?
And on the 506e XXX represents 192.168.1.0/24? No sense in hiding these numbers.
>access-list outside_cryptomap_40 permit ip 192.168.227.0 255.255.255.0 XXX 255.255.255.0
If, on the other hand, XXX in both cases represents the outside public IP address of the other PIX, then you have some issues.

>crypto map outside_map 20 set transform-set ESP-DES-MD5
On the BRANCH 501, this statement does not have a corresponding policy:
 isakmp policy 20 encryption 3des  <== should be DES unless you also have another policy 10 or something that you cut out before pasting.


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
dsl77Author Commented:
Thanks & Ill submit the firmware upgrade this weekend.

The branch office in Stockholm is connected directly to the PIX through a switch no software required. Where exactly do you recommend I change the MTU?

Ill submit both configurations again, so youll have a clearer picture? ;)

Stockholm: PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname stockholm
domain-name company.dk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.227.0 Raadhuspladsen
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Raadhuspladsen 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Raadhuspladsen 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 194.xxx.xxx.xxx 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Raadhuspladsen 255.255.255.0 outside
pdm location 195.xxx.xxx.xxx 255.255.255.255 outside
pdm location 192.168.227.1 255.255.255.255 inside
pdm location 192.168.227.27 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 194.xxx.xxx.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 195.xxx.xxx.xxx 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.1 255.255.255.255 inside
http 192.168.227.27 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 195.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 195.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.227.220 212.242.40.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain company.dk
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
[OK]

Copenhagen: PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd*** encrypted
hostname copenhagen
domain-name company.dk
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Copenhagen
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list outside_in permit tcp any interface outside eq 4899
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq imap4
access-list outside_in permit tcp 207.126.144.0 255.255.240.0 interface outside eq smtp
access-list 101 permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
access-list 101 permit ip 192.168.227.0 255.255.255.0 Copenhagen 255.255.255.0
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.227.0 255.255.255.0 Copenhagen 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 195.xxx.xxx.xxx 255.255.255.252
ip address inside 192.168.227.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.228.0 255.255.255.0 outside
pdm location 192.168.227.211 255.255.255.255 inside
pdm location 192.168.227.212 255.255.255.255 inside
pdm location Copenhagen 255.255.255.0 outside
pdm location 192.168.99.0 255.255.255.0 outside
pdm location 194.239.184.134 255.255.255.255 outside
pdm location 192.168.227.214 255.255.255.255 inside
pdm location 192.168.227.221 255.255.255.255 inside
pdm location 192.168.227.222 255.255.255.255 inside
pdm location 207.126.144.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.222 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.222 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.222 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.222 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 192.168.227.222 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.227.222 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.227.222 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.227.222 imap4 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.xxx.xxx.123 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.227.221 *** timeout 10
http server enable
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 100 set transform-set myset
crypto dynamic-map outside_dyn_map 10 set transform-set myset
crypto map mymap 40 ipsec-isakmp
crypto map mymap 40 match address outside_cryptomap_40
crypto map mymap 40 set pfs group2
crypto map mymap 40 set peer 194.xxx.xxx.xxx
crypto map mymap 40 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 194.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 3600
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 3600
vpngroup vpn3000 address-pool VPN_Pool
vpngroup vpn3000 dns-server 192.168.227.220 192.168.227.221
vpngroup vpn3000 default-domain company.dk
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 7200
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd auto_config outside
terminal width 80
: end
[OK]
0
 
dsl77Author Commented:
lrmoore ... can you use the above to review the performance issues?
0
 
lrmooreCommented:
on Stockholm side, add this, so that you have a policy that actually matches your transform set. The Copenhagen side is OK:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
0
 
dsl77Author Commented:
Thanks! ;)

What about changing the MTU - is that still necessary?
0
 
lrmooreCommented:
If this change doesn't make any difference, and if you haven't tried it, I would still recommend it. There is a small utility called DrTCP that you can google for and download to run on the servers/workstations to adjust the MTU.

0
 
dsl77Author Commented:
Thanks again ... ;)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now