File sharing across 2 PIX 501s with NAT

I have a LAN (10.10.50.0) behind a PIX 501 (PIX-01) with all internal machines NATTed to the outside IP as a Pooled address. Across the hall I have a server stack (192.168.200.0) behind another PIX 501 (PIX-02) with static NAT addresses to each server. The 2 PIX boxes are connected across a hub. The outside addresses of the 2 PIXes are public addresses on the same subnet.

I want the LAN machines to be able to access file shares on the servers in the stack. So I opened PIX-02 to all incoming traffic on all ports for packets originating from the PAT address of PIX-01. PIX-01 is completely closed to incoming traffic.

This worked OK, but the file sharing has intermittent problems. For example, in the middle of copying a bunch of files from LAN machine A to server B, the process dies with a message that the network destination is no longer available. Also, some file types (ArcView .mxd files) had frequent errors when opening (but still intermittent).

What am I missing? Please don't suggest a VPN (;->) as I already tried that and, while it solved the file sharing problems, it is abysmally slow.

Thanks for any help!

John H.

Reply to
JohnH
Loading thread data ...

Use VPN ! (really - it isnt slower)

How many clients ? - You might run into a license issue with pix501's Check your log for "license limit exceeded" entries.

Get a switch inbetwwen your PIX outsides, instead of the hub, as collisions might kill your packet aswell. Putting in a switch will, nomatter what, overall lift your performance, from halfduplex to full duplex, and maybe to 100 mbit.

np Martin

Reply to
Martin Bilgrav

Really, it is slower. Exact same setup but with firewalls closed and a p2p VPN between the PIXes using single DES, raw transfer speed goes from 300MB/sec to 60MB/sec. That's a lot slower.

Both are 50 user, I only have 20 or so devices in the LAN and 6 in the stack.

Without a switch, performance is fine across the firewalls the problem is the intermittent dropping of the connection and other file-system errors.

- John H.

Reply to
JohnH

Did you try reducing your MTU slightly, to prevent fragmentation? Or changing the TCP MSS option on the PIX?

You were asked before in another thread, but I do not recall seeing your answer there: is your MB megabytes or megabits?

The PIX 501 is rated at 60 megabits per second cleartext and 6 megabits per second DES, so if you are getting 60 megabits per second over a 3DES VPN with it, you are greatly exceeding its rated capacity. Perhaps your transform set did not include any encryption at all.

If you need 300 megabits per second of cleartext throughput through a PIX, then you need at least a PIX 525, and for 300 megabits per second of encrypted throughput you need at least a PIX 535 with VAC+ card. Some ASA models would probably handle loads in that range as well.

The PIX 501 is a SOHO firewall, never designed for 300 megabits per second. It would appear that you have badly mis-spec'd the device according to your needs.

Reply to
Walter Roberson

No, but I will.

Actually, the speeds I listed are as reported by EMC Retrospect as the transfer rate on the remote backup across this link. They are megabytes per second, but I'm sure there is compression going on at the client end so they are not intended as raw benchmarks, but only as a comparison of the impact of the VPN encryption on the speed.

That's good info, thanks.

Yes, the 501 is not a good box for this purpose. I'm trying to eliminate the VPN altogether as I was getting adequate performance just opening the required ports on the firewall. What I'm hunting for with this post is info on any quirks related to windows file sharing across NAT firewalls.

- John H.

Reply to
JohnH

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.