I've found that using FTP to a server behind a Cisco 837 gives poor performance. The server is published using static NAT:
ip nat inside source static 192.168.168.14 123.123.123.82
with an ACL that includes:
no access-list 111 access-list 111 remark Incoming access from the Internet ... access-list 111 permit tcp any host 123.123.123.82 eq 21 ... access-list 111 deny ip any any log
I've attached the full config below.
Using the WinXP command line FTP client to connect to the external address,
123.123.123.82, I only get 16-18KB/sec transfers on both uploads and downloads. But if I go through the LAN to LAN VPN and connect to the LAN address, 192.168.168.14, I get 75KB download and about 250KB upload, which matches the ADSLMax line speed of 3Mbps/800Kbps.My guess is that the VPN bypasses the firewall, and it's the firewall that is responsible for the poor performance. Is there a way round this? I know the
837 is entry level in Cisco standards, but even a Draytek 2800 at half the price can do FTP at full speed. Incidentally I've tested this at two of our remote offices and I get the slow FTP problem at both, so it's not just a duff router. Also HTTP downloads from the same server through the same 837 runs at the expected 75KB/sec so the problem seems restricted to FTP, possibly because the FTP requires secondary connections so it's more work for the firewall?Anyhow, thanks for any help.
John Rennie
----8