https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761173#M1008655 <P>On a pix 515e ver. 7.0, I've set security levels between the inside and the dmz to 100. Is there anything else I should consider to allow unrestricted access between these two interfaces, I'm experiencing traffic delays from inside to dmz but not from dmz to inside.</P> Mon, 11 Mar 2019 09:54:07 GMT boondocker 2019-03-11T09:54:07Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761173#M1008655 <P>On a pix 515e ver. 7.0, I've set security levels between the inside and the dmz to 100. Is there anything else I should consider to allow unrestricted access between these two interfaces, I'm experiencing traffic delays from inside to dmz but not from dmz to inside.</P> Mon, 11 Mar 2019 09:54:07 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761173#M1008655 boondocker 2019-03-11T09:54:07Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761174#M1008665 <HTML><HEAD></HEAD><BODY><P>Didn't you post the same question yesterday in the thread titled, "Slow traffic from inside to DMZ"?</P><P></P><P>After fixing your speed/duplex issues if the problem persists you need to use the capture feature on the PIX to capture the packets so we can see what is causing the slowdown.</P><P></P><P>Also, you don't need to set the interfaces to the same security level - unless you just want to). Since you most likely upgraded from 6.x to 7.x, if you are not using statics, or nat 0, then you need to disable nat-control by issuing the command "no nat-control".</P><P></P><P>David.</P></BODY></HTML> Fri, 30 Mar 2007 13:58:29 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761174#M1008665 David White 2007-03-30T13:58:29Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761175#M1008674 <HTML><HEAD></HEAD><BODY><P>David,</P><P>I did publish the packet capture but got no response (figured the results were a non-issue). I'm not using NAT between the inside and dmz although I am using NAT between the outside and the dmz.</P></BODY></HTML> Fri, 30 Mar 2007 14:08:56 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761175#M1008674 boondocker 2007-03-30T14:08:56Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761176#M1008679 <HTML><HEAD></HEAD><BODY><P>Hi Boondocker,</P><P></P><P>I just checked again on the other thread, and I don't see the captures. Can you attach them to this thread?</P><P></P><P>Note: I am assuming you know how to capture the packets on the PIX. Please make sure you create two seperate captures, one on the DMZ interface, and one on the Inside - using an ACL to limit the traffic to be captured to just the two IPs doing the transfer. Then do your test, then upload the two capture files in pcap format so we can have a look.</P><P></P><P>If you need help with capture, please let us know.</P><P></P><P>Thanks,</P><P></P><P>David.</P></BODY></HTML> Fri, 30 Mar 2007 14:42:46 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761176#M1008679 David White 2007-03-30T14:42:46Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761177#M1008686 <HTML><HEAD></HEAD><BODY><P>If you could help me out with the commands it would get me started. thx</P></BODY></HTML> Fri, 30 Mar 2007 15:20:20 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761177#M1008686 boondocker 2007-03-30T15:20:20Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761178#M1008691 <HTML><HEAD></HEAD><BODY><P>- Assuming interfaces named inside and dmz</P><P>- Assuming IP of host on DMZ is 10.1.1.2</P><P>- Assuming IP of host on inside is 192.1.1.2</P><P></P><P></P><P>Given the above, if you are not translating the inside host when it goes to the dmz, then you only need one ACL to match the traffic you want to capture:</P><P></P><P> access-list cap permit ip host 10.1.1.2 host 192.1.1.2</P><P> access-list cap permit ip host 192.1.1.2 host 10.1.1.2</P><P></P><P>It has two entries to capture both directions of traffic. Next, you create the captures - one on each interface:</P><P></P><P> capture dmz int dmz access-list cap packet-l 1500</P><P> capture in int inside access-list cap packet-l 1500</P><P></P><P>Once applied, initiate the transfer. The default buffer on the captures is 512 bytes (this can be changed using the 'buffer' option).</P><P></P><P>To pull the captures off the pix, you can use the copy command to do it via TFTP, or you can use HTTPS to pull them off.</P><P></P><P> copy /pcap capture:dmz t<A class="jive-link-custom" href="ftp://" target="_blank">ftp://</A><IP>/<FILENAME></FILENAME></IP></P><P></P><P>Then reapeat for the inside capture as well.</P><P></P><P>Or, you can use https to pull them off:</P><P></P><P> <A class="jive-link-custom" href="https://" target="_blank">https://</A><IP_OF_PIX>/capture/dmz/pcap</IP_OF_PIX></P><P> <A class="jive-link-custom" href="https://" target="_blank">https://</A><IP_OF_PIX>/capture/in/pcap</IP_OF_PIX></P><P></P><P>once pulled off, just upload - or you can look at them yourself in ethereal/wireshark.</P><P></P><P>David.</P></BODY></HTML> Fri, 30 Mar 2007 15:43:20 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761178#M1008691 David White 2007-03-30T15:43:20Z https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761179#M1008695 <HTML><HEAD></HEAD><BODY><P>Thanks for all the suggestions, I set my DMZ switch to a different VLAN then the inside and it fixed the problem.</P></BODY></HTML> Wed, 18 Apr 2007 13:42:38 GMT https://community.cisco.com/t5/network-security/security-levels-and-performance/m-p/761179#M1008695 boondocker 2007-04-18T13:42:38Z