VPN over ADSL

[danr19]

Hi,

I have got a PIX 515e installed as main firewall and VPN access with a 2 Mpbs Internet connection.

I am doing some test with VPN Client and I have found the rate over ADSL (512 Kbps download/128 Kbps upload) is quite slow. The maximum rate is almost 8 Kbytes per second.

That rate does not improve if I change AES encription with 3DES or DES.

With cable modem (128 Kbps) the rate reaches 22 Kbytes per second.

I am planing to install a PIX 506e as a VPN Easy Client over ADSL to serve about 10 or 15 PC's behind it, each one running a telnet application and some file downloading via VPN (web or FTP), and I am worried because if two or more users do a download simultaneously, the other users will see theirs remote aplications go slowdown.

Does anybody know any tip or PIX feature to improve the performance over ADSL?

Thanks in advance,

Daniel

 

[yizhar]

HI.

Try using a lower MTU value at the workstation and/or server.
In some ADSL implementations it can solve performance problems.

You can test with:
PING -f -l ????

Test also what happens if you change MTU at the pix itself (outside interface).

Do these tests over different Internet connections.

You can also try to temporarly allow FTP or HTTP without VPN (using ACL), just to see if the performance degrade is caused by VPN or maybe something else.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[danr19]

Hi yizhar

Thanks for your advices. I have changed the MTU but I could not see any difference.
But I have just found the solution adding the following command: "isakmp nat-traversal".
The performance has improved a lot. Now I can get throughput closer the bandwith of ADSL.

Another question. How could I filter a specific port in a VPN tunnel?

E.g.: I want to limit the access for one host only for a few ports, like an AS400 (TCP ports 23, 449 and 8470 to 8476)
I have done it with a remote PIX as Easy-client with an access list, the hosts behind it only can access hosts and ports that I have allowed.
When I use VPN client, I cannot do it in a main PIX.

Thanks in advanced,

Daniel

 

[paultaylor04]

These commands would allow you to filter traffic with access lists on the central pix device

Supposing you want to disallow one of your vpn users http access.
access-list myacl deny tcp <vpn-pool-ip> <mask> any eq 80
vpngroup VPN split-tunnel myacl

 

[danr19]

Hi Paul,

I've tried these commands but them don't work.
I want to block FTP traffic on an AS400, but I can't block it.
Here are the commands I've programmed

access-list inside_outbound_nat0_acl permit ip host 192.168.100.3 192.168.202.0 255.255.255.0
access-list outside_cryptomap_dyn_60 permit ip any 192.168.202.0 255.255.255.0
access-list 150 deny tcp 192.168.100.3 255.255.255.255 any eq 20
access-list 150 deny tcp 192.168.100.3 255.255.255.255 any eq 21
access-list 150 permit ip host 192.168.100.3 any
ip local pool POOL_AS400 192.168.202.1-192.168.202.254
vpngroup AS400 address-pool POOL_AS400
vpngroup AS400 split-tunnel 150
vpngroup AS400 idle-time 1800
vpngroup AS400 password ********

What is wrong?

Thanks,

Daniel

 

[paultaylor04]

Do vpngroup AS400 split-tunnel <access-list name>

Put in whatever access list you are using to deny/permit vpn users access to resources.