Network Speed Question

The PIX 506 and PIX 506E are identical in supported interface line rates. They both support 10 and 100, full and half duplex, and both support autonegotiation.

The documentation does indicate that autonegotation is only supported on units with the intel ethernet interface, but indicates that all units from november 1996 had that interface -- and the 506 was released after that.

The datasheets for the 506 are hard (or impossible) to find on cisco.com as it is End of Sale, but the Syngress "Managing Cisco Network Security" book does indicate "two Fast Ethernet 10/100 ports" for it (chapter 4, page 133, in the first edition).

There is the 6.3(1) release note that is not well explained, about the interface speeds for the 501 and 506E, and I do recall that before that point the 501 only supported 10 Mbs on its outside interface, with the 6.3(1) allowing it to go to 100 Mbps. I know this from practical experience; it is not documented anywhere I can find. The release note does not mention the 506, just the 506E, so there is a -possibility- of an undocumented restriction on the

506 that prevents it from using 100 Mbps on the outside interface even though the hardware supports it -- but there is also a possibility that 100 Mbps is unlocked by 6.3(1) on the 506 as well. Hard to say without access to the devices and releases.

But getting back to your question: the 8 Mbps ADSL limit is not necessarily the limiting factor. You need to look at the maximum aggregate cleartext throughput on the PIX 506, which happens to be

20 Mbps -- i.e., 10 Mbps in both directions. So that's okay. But if you want to start running a VPN then you need to look at the VPN speeds on the 506 and 506E. The 506 supports 20 Mbps DES, 10 Mbps 3DES -- so if you were trying to run a 3DES VPN at full speed at full duplex, the 506 would be the limiting factor, as it would only be doing 5 Mbps in that case. But there is an odd note in the PIX 506E/515E Q&Q, in the 6.1(2) timeframe, that indicates that the maximum VPN throughput for the 506 is 10 Mbps, which is kind of an odd thing to say about a device documented to be able to move 20 Mbps DES; there is no documentation indicating whether it was improved later (e.g., does AES give better throughput?) According to the same Q&A, the maximum VPN throughput for the 506E is 16 Mbps (again, odd on a device documented to move 20 Mbps DES, 17 Mbps 3DES, and 30 Mbps AES-128)

Insufficient information. If you aren't checking on a speed test from a local node of the same ISP, then the limit might be somewhere else in the network. Or the limit might be in your equipment. Also, check in case you have a unit mismatch: 8 megabits per second is 1 megabyte per second: perhaps the test is reporting in megabytes per second instead of megabits per second?

Yes. I suggest you look on dslreports.com for their TCP tweaking utility; you might be able to improve your transfer speeds noticably over the default configuration.

Thanks Walter.

The PIX 506 I have at home is running 6.3(4) but the message I receive when trying to change any of the interface speeds to 100 is:

pixfirewall(config)# interface ethernet1 100full ethernet1 can only be set to 10baseT, 10full or auto.

I changed the settings of both interfaces from autonegotiation to

10BaseT and the internet is now running at an average of 1 Mbs up from 200Kbs when I tested a few times using auto. I've used the same testing website throughout and the units have always been megabits per second.