File sharing across 2 PIX 501s with NAT

I have a LAN (10.10.50.0) behind a PIX 501 (PIX-01) with all internal
machines NATTed to the outside IP as a Pooled address. Across the hall
I have a server stack (192.168.200.0) behind another PIX 501 (PIX-02)
with static NAT addresses to each server. The 2 PIX boxes are
connected across a hub. The outside addresses of the 2 PIXes are
public addresses on the same subnet.

I want the LAN machines to be able to access file shares on the servers
in the stack. So I opened PIX-02 to all incoming traffic on all ports
for packets originating from the PAT address of PIX-01. PIX-01 is
completely closed to incoming traffic.

This worked OK, but the file sharing has intermittent problems. For
example, in the middle of copying a bunch of files from LAN machine A
to server B, the process dies with a message that the network
destination is no longer available. Also, some file types (ArcView
..mxd files) had frequent errors when opening (but still intermittent).

What am I missing? Please don't suggest a VPN (;->) as I already tried
that and, while it solved the file sharing problems, it is abysmally
slow.

Thanks for any help!

John H.

 

Use VPN ! (really - it isnt slower)

How many clients ? - You might run into a license issue with pix501's
Check your log for "license limit exceeded" entries.

Get a switch inbetwwen your PIX outsides, instead of the hub, as collisions
might kill your packet aswell.
Putting in a switch will, nomatter what, overall lift your performance, from
halfduplex to full duplex, and maybe to 100 mbit.

 

Really, it is slower. Exact same setup but with firewalls closed and a
p2p VPN between the PIXes using single DES, raw transfer speed goes
from 300MB/sec to 60MB/sec. That's a lot slower.

Both are 50 user, I only have 20 or so devices in the LAN and 6 in the
stack.

Without a switch, performance is fine across the firewalls the problem
is the intermittent dropping of the connection and other file-system
errors.

- John H.

 

Did you try reducing your MTU slightly, to prevent fragmentation?
Or changing the TCP MSS option on the PIX?

You were asked before in another thread, but I do not recall
seeing your answer there: is your MB megabytes or megabits?

The PIX 501 is rated at 60 megabits per second cleartext and 6
megabits per second DES, so if you are getting 60 megabits per second
over a 3DES VPN with it, you are greatly exceeding its rated capacity.
Perhaps your transform set did not include any encryption at all.

If you need 300 megabits per second of cleartext throughput through
a PIX, then you need at least a PIX 525, and for 300 megabits
per second of encrypted throughput you need at least a PIX 535 with
VAC+ card. Some ASA models would probably handle loads in that range
as well.

The PIX 501 is a SOHO firewall, never designed for 300 megabits per
second. It would appear that you have badly mis-spec'd the device
according to your needs.

 

No, but I will.

Actually, the speeds I listed are as reported by EMC Retrospect as the
transfer rate on the remote backup across this link. They are
megabytes per second, but I'm sure there is compression going on at the
client end so they are not intended as raw benchmarks, but only as a
comparison of the impact of the VPN encryption on the speed.

That's good info, thanks.

Yes, the 501 is not a good box for this purpose. I'm trying to
eliminate the VPN altogether as I was getting adequate performance just
opening the required ports on the firewall. What I'm hunting for with
this post is info on any quirks related to windows file sharing across
NAT firewalls.

- John H.