04-20-2012 11:39 AM - edited 03-11-2019 03:56 PM
have a PIC 515e connected to two ISPs via 2 interfaces. ISP1 is a 3.5Mbps aDSL line, and ISP2 is a 30Mbps business cable. I've confirmed the speeds by connecting the cabled directly into a laptop and using wget to download very large files from known-fast sites.
For admin reasons, I need to access two specific subnets using the slower ISP1. The rest of internet traffic should go to the much faster ISP2.
So I configure ISP2 as the default gateway, static routes for the two subnets to ISP1, set up NAT (PAT) and it all works like a charm. I've confirmed that ISP1 is used for only the two subnets, and ISP2 for everything else. CAPTUREs on the pix also confirm this. So far, it all works great.
But for reasons I don't understand, my max. download speed is 3.5 Mbps (the slow DSL). Using various speed tests and wget, I simply cannot get a download speed faster than my 3.5 Mbps DSL line.
Here is my config:
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 ISP1 security4
nameif ethernet1 inside security100
nameif ethernet2 outside security0 ; ISP2
ip address ISP1 206.X.X.X 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address outside dhcp setroute
global (ISP1) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route ISP1 172.X.X.X 255.255.255.0 206.X.X.X 1
route ISP1 209.X.X.X 255.255.255.224 206.X.X.X 1
As I mentioned, the above works in that the right traffic is using the correct ISPs, but my download speed on the 30 Mbps ISP2 is limited to the speed of ISP1.
I've tried using policy-based natting, but I get the exact same result:
access-list ISP1 permit ip any 172.X.X.X 255.255.255.0
access-list ISP1 permit ip any 209.X.X.X 255.255.255.224
access-list ISP1 permit ip any 206.X.X.X 255.255.255.224
access-list ISP2 permit ip any any
nat (inside) 1 access-list ISP1
global (ISP1) 1 interface
nat (inside) 2 access-list ISP2
global (outside) 2 interface
route ISP1 172.X.X.X 255.255.255.0 206.X.X.X 1
route ISP1 209.X.X.X 255.255.255.224 206.X.X.X 1
Again, the above works fantastic in sending the right traffic to the correct locations, but seems to limit my download speed to the slower of the 2 links.
Help?
04-24-2012 06:26 AM
In case anyone cares, I got this working. After some packet sniffing I saw duplicate acknowledgements, RSTs and other anomalies, so I decided to simply remove all the outside configs and routes and simply start over. For some reason that worked, I'm getting full speed on both connections and everything is routing/PAT'ing properly.
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside2 security4
nameif ethernet1 inside security100
nameif ethernet2 outside security0
ip address outside2 206.X.X.X 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address outside dhcp setroute
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside2 172.X.X.X 255.255.255.0 206.X.X.X 1
route outside2 209.X.X.X 255.255.255.224 206.X.X.X 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide