Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
1
Replies

PIX 515e, 2 ISPs, max speed is slower ISP

eclipsefnd
Level 1
Level 1

‎04-20-2012 11:39 AM - edited ‎03-11-2019 03:56 PM

have a PIC 515e connected to two ISPs via 2 interfaces.  ISP1 is a 3.5Mbps aDSL line, and ISP2 is a 30Mbps business cable.  I've confirmed the speeds by connecting the cabled directly into a laptop and using wget to download very large files from known-fast sites.

For admin reasons, I need to access two specific subnets using the slower ISP1.  The rest of internet traffic should go to the much faster ISP2.

So I configure ISP2 as the default gateway, static routes for the two subnets to ISP1, set up NAT (PAT) and it all works like a charm.  I've confirmed that ISP1 is used for only the two subnets, and ISP2 for everything else.  CAPTUREs on the pix also confirm this.  So far, it all works great.

But for reasons I don't understand, my max. download speed is 3.5 Mbps (the slow DSL).  Using various speed tests and wget, I simply cannot get a download speed faster than my 3.5 Mbps DSL line.

Here is my config:

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 ISP1 security4

nameif ethernet1 inside security100

nameif ethernet2 outside security0   ; ISP2

ip address ISP1 206.X.X.X 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address outside dhcp setroute

global (ISP1) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route ISP1 172.X.X.X 255.255.255.0 206.X.X.X 1

route ISP1 209.X.X.X 255.255.255.224 206.X.X.X 1

As I mentioned, the above works in that the right traffic is using the correct ISPs, but my download speed on the 30 Mbps ISP2 is limited to the speed of ISP1.

I've tried using policy-based natting, but I get the exact same result:

access-list ISP1 permit ip any 172.X.X.X 255.255.255.0

access-list ISP1 permit ip any 209.X.X.X 255.255.255.224

access-list ISP1 permit ip any 206.X.X.X  255.255.255.224

access-list ISP2 permit  ip any any

nat (inside) 1 access-list ISP1

global (ISP1) 1 interface

nat (inside) 2 access-list ISP2

global (outside) 2 interface

route ISP1 172.X.X.X 255.255.255.0 206.X.X.X 1

route ISP1 209.X.X.X 255.255.255.224 206.X.X.X 1

Again, the above works fantastic in sending the right traffic to the correct locations, but seems to limit my download speed to the slower of the 2 links.

Help?

Labels:
0 Helpful
1 Reply 1

eclipsefnd
Level 1
Level 1

‎04-24-2012 06:26 AM

In case anyone cares, I got this working.  After some packet sniffing I saw duplicate acknowledgements, RSTs and other anomalies, so I decided to simply remove all the outside configs and routes and simply start over.  For some reason that worked, I'm getting full speed on both connections and everything is routing/PAT'ing properly.

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside2 security4

nameif ethernet1 inside security100

nameif ethernet2 outside security0

ip address outside2 206.X.X.X 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address outside dhcp setroute

global (outside2) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside2 172.X.X.X 255.255.255.0 206.X.X.X 1

route outside2 209.X.X.X 255.255.255.224 206.X.X.X 1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card