Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Performance/Setup

Status
Not open for further replies.
technical1

technical1

Technical User
Sep 2, 2002
52
GB
Im running a Cisco PIX-515UR with 6 interfaces.
Im using NAT on my web servers they translate the public IP address to 172.17.1.x network.

My web servers deliver dynamic content to the internet they have two NIC's. One NIC is on the 172.x.x.x network and the other is 192.168.x.x network.

The 192.168.x.x network has my database servers.

Ive heard it is best practice to have your web servers behind a DMZ and your database servers behind a seperate interface.

If i were to place my database servers behind a seperate interface and allowed the DMZ web servers only tcp port 1434 access would this cause any performance issues as the web server is only using one NIC to serve internet requests and retrieve databse information.

Im serving dynamic content using cold fusion and running on a MS Win2K platform.
 
Sort by date Sort by votes
technical1 - have you monitored your existing NICS for workload? Are they saturating out or even close? A T1 line can pass 1214251 bits per second (factoring in TCP overhead etc.) A 10 base T (the NIC on the PIX is 10 BT I beleive) connection can handle the traffic of 6 or 7 T1 lines.

That in mind, it is highly doubtful that your 100BT (I assume your internal network is 100 Mbps) NIC will easily handle the traffic. The only limiting factor is the server itself and that workload will not changewhenther you pass it through one or two NICS.
 
Upvote 0 Downvote
Oh - and I failed to discuss the load on the PIX - this, I'll have to admit, I am not expert at. I think it'll have to be a trial and error and some close monitoring.

The PIX 515 specs out at a cleartext throughput of 188 Mbps. Translating that into real life is always tough. There will be overhead loss, it will depend heavily on how well you configure and monitor your ACLS etc - i.e getting the busiest ACL entries atthe top of the list, encryption, VPN traffic and such but I think you'll be okay unless you're running a big porn site with several million hits per hour. :>
 
Upvote 0 Downvote
If you are using a layer2 managable switch, you can have both nics go into the same switch, but have each nic on a separate vlan. This will bypass the pix since you are concerned about performance.

haknwak is right though.... If you only have about a T1 or so of Internet bandwidth, then your PIX should be able to handle the load no problem.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
153
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
224
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
94
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top