network

Add a host file entry on one of the workstations for one of the servers you are trying to access and see if the response is faster for the test workstation reaching the server.  If so, you've got a DNS issue.   If the test does not make a difference please provide information about the device & corresponding config that is between your internal and external switches.   You mentioned you are using NAT so that implies you have more than just switches.  

sorry yes we have a watchguard firewall

Question: Why do you have your (what appears to be) servers have external IP addresses?
Question: What protocol(s) are you using for file transfer?
Question: How are your workstations calling your file servers? Is it via IP address or a DNS name or just a host name?
Question: What is the purpose of segregating your workstations from your servers?
Question: Is this a Windows network (eg: Domain or Workgroup) or something else (Linux, etc)?

Most of the servers have duties which require public IPs
standard file transfer within windows cut and paste or in some cases programs may use other methods I am not sure about CAD which is the one that I am working with.
The workstations address the server by DNS, CAD I beleive use what it referers to as XREFs
Windows Domain

Typically we'd see servers on the same subnet as the internal / primary workstations and specific public duties allowed through the firewall on a case by case basis (e.g., e-mail, websites, etc.)  as NAT or PAT translations and filter policies on your firewall config.  Remote users expect performance to be slower, whereas you don't want internal traffic to be throttled at all by your firewall if you can avoid it.  

It sounds like you are making your firewall handle much more traffic than is needed.  

The firewall's primary duty is the external connection but It does route the nat addresses. Besides the normal web work, FTP, and such the external servers are server as terminal servers for our remote sites and some are needed for RDP work by software vendor in suppot rolls of their software. I have considered placing three or four of the file sharing servers on the same subet and removing the outside duties to other servers. I assume by your comment that would make a difference or as least easier to work with.

Yes.  Certainly if you are working with CAD files (typically relatively large), these would be good candidates for bringing inside on the same subnet as primary users.   If you are using gigabit switches for your workstation and for your servers, it is unlikely your firewall even handles gigabit speeds unless you have a high-end model.  

Dont know what is considered high end I think the watchguard firewall sells for about 2500.00 I
I tried the lmhosts and found the results the same

I'm leaning towards throughput issues based on what you've shared.  Your firewall throughput will be throttled by the interface speed as well as the configuration work requirements (i.e., how much work you are asking it to do).   For example, you may have a gigabit connection to the firewall and therefore the BEST possible throughput you'll get is the same as your gigabit switch.   More likely though is the workload requirements will throttle that down far more...

At least if it were a DNS issue since the fix might be less involved.  Another way to isolate DNS issue vs. throughput issue is test a very small vs. a very large file.   If the delays are highly related to file size, I would suspect a throughput issue, whereas if the the delays for very small files and large files are comparable, I'd take a closer look at DNS (and you need to edit the hosts file not lmhosts file).    

OK I will edit host and file test also test small vs large file transfer time
If it was through put would it not be the same problem with any IP used? In checking the network usage on the both machine and firewall the machine never exceeds 3-4% and the fire wall stays around 12% .

I suspect that the biggest problem you are having is that SMB is just an extremely chatty protocol. It was never designed with transversing NAT/PAT.

It sounds like you have NetBIOS enabled over TCP/IP. I would recommend against that (especially since you are transversing a firewall) and instead use Direct hosting of SMB (http://support.microsoft.com/kb/204279), but only if you aren't using any software which requires NetBIOS.

Because of the rules that are in effect with NetBIOS when you have a domain model, you do need to take that into consideration as well. Here is a good primer to NetBIOS requirements: http://support.microsoft.com/kb/188001

In cases where we need to allow file transfers over a firewall, using another technology besides SMB is usually the best way to go, like FTP or HTTP/S... but I'm getting ahead of myself.

Don, I would seriously recommend that you consider reevaluating your fundemental network design. I think that the problem you are having now is just a tip of the iceburg.

You mention that you are running Active Directory. Are the servers on the other side of the firewall, domain members? If so, did you put a domain controller (or two) over there? And did you then poke ALL the holes that are required for DC communication or make the necessary registry fixes in order to fix your RPC port (http://technet.microsoft.com/en-us/library/bb727063.aspx) on all the servers over there?

Thanks for the input.
I believe TCP/IP netbios is turned on but I will have to verify
Bot the private and public ip ranges are inside the firewall with holes puched for the need port traffice on the publice side. The ACAD work is done locally not over the internet so the remote sites do not have the issue it is local only. I have reviewed the rules on the firewall for the internal traffice and cannot find anything which would cause the issue. But sometimes one cannot see the forest for the trees. I do have several DC's but since they are on the same side of the firewall it should not be an issue. pulling out what is left of my hair I am struggling here. The private ip being used 192.168.0.84 takes 10 times longer then if I switch him to the public ip to load the drawing. The only common thingI can think of is the firewall, but as i said no rules showing restricting.
Thanks
Don

My thinking is that the firewall processes the packets differently (or perhaps not at all -- i.e.  pass through) if it sees the subnet is the same.  

Regarding firewall throughput unfortunately the network usage and firewall CPU utilization are not good indicators of total throttling effect.  Efficiencies in the firewall algorithms and other factors impact how quickly the packets are processed.  It's true that if the CPU was maxed it would likely be affecting throughput, but the opposite is not true.  

 

Thanks I will contact the firewall folks and get some input from them. With so few connections and on a few switches you would think this would be a no brainer......Networks ...a never ending story

The network info you just provided is very helpful.  

To isolate the issue further, have you done anything with static route commands to see if you can bypass the firewall function altogether for your inside nodes?  

If the firewall defaults to (or otherwise uses) the outside interface for the internal public IP addresses, it is likely that it will be doing some processing, so adding the appropriate static routes may help you direct the traffic in such a way as to effectively bypass the firewall processing.  

The firewall sets up using the outside IP;s and option to add secondary IP's. I added the secondary IP's and set it to nat only if it was outside. You have a point they people are trying to catch up on their work from my testing. I will try more testing tomorrow. If you think of anything else let me know.

Thanks,
Don

Once I added a second NIC everything ran as it should. I have the firewall pepole also looking at the issue but they felt the switches were not doing what they should be doing. All is fine now. Thanks to everyone who took the time to think about the problem.