Cisco Client 3.5, DMZ,Radius speed problem

[Silene]

We are using Cisco secure Client ver 3.5 to come into our Pix Firewall (ver 6.1.2). There are two vpn groups set up, each one with its own address pool. Thus
Secure 192.168.48.129-192.168.48.142
Nonsecure 192.168.49.1-192.168.49.31
The crypto map includes a client authentication statement that points to a Windows 2000 radius server for further authentication. The Windows Server is programmed to return an access list name of remote. The access list is simply
access-list remote permit ip 192.168.49.0 255.255.255.224 host 192.168.49.226
access-list remote permit ip 192.168.48.0 255.255.255.0 any
access-list remote deny ip any any
The main internal web servers are on Inside with 192.168.48.x numbers. The reduced security one is on DMZ, where the IP address of the interface is 192.168.49.225 255.255.255.224 and the web server 192.168.49.226
It all works as designed, in that external users in the secure group can authenticate in and view all servers, and the nonsecure group can only get to the DMZ server.
However, the secure group can view all servers including the DMZ at full speed. The non secure group (even if you try in on the same PC ) goes at a snails pace. It can take up to 10 seconds to log in (presumably to the PIX) once authenticated and then each web page can take 30 seconds to load.
Has anyone any idea what is happening to cause the delay? Its almost as if it is waiting for some kind of time out before progressing to the next bit.

 

[yizhar]

HI.

Can you try to give the VPN client addresses from a totaly different range, like 172.16.x.x for non secure and 172.20.x.x for secure?
It seems to me that you have some overlapping in ip addressing and access-list commands.

You should also check for name resolution issues like DNS configuration.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar