You've asked several questions here and I will give you my take on them.
I have found that the PPTP client is slower than the Cisco Secure client,
but you don't have any real choice for the moment. It is also possible that
you've overloaded the PIX with concurrent VPN users. The encryption
process, which VPN is based on, can easily overwhelm a processor if it is
not sized correctly, especially if you are using 3DES (you don't say one way
or the other). One way around this is to purchase a separate encryption
processor card, which offloads the encryption processing from the main PIX
processor. You didn't mention how many concurrent VPN users you have at
times of "slowness", but it's worth looking into. You also didn't mention
how much bandwidth is on the outside of the PIX. Of course, you may just
have to bite the bullet and increase your hardware. Encryption definitely
takes a toll on the processor.
As for the clear xlate issue, try lowering the translation timeout. This
will timeout and remove the translations much more quickly than the default.
Try 5 minutes, 3 minutes, or whatever you feel like.
As for the security issue, I have a hunch since you mention Windows 2000,
that the users are still logging in as if they are in the office (which
Win2K supports really well compared to other MS OSes) and so their office
credentials (domain) are cached and in effect when they connect to the
physical network. This is typically a good thing, as a VPN is supposed to
be a relatively seamless connection into the network from remote locations.
If you don't want the users to do this, limit it via the Microsoft network
perspective and not the Cisco perspective.
Hope this helps!
Rik
""Kevin O'Gilvie"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have a pix 515 R, and I have noticed that I have to clear xlate at least
> once a day in order to keep it from slowing down internet access, also I
> have users complaining on how slow the vpn is, I am using ms pptp, due to
> the fact that the windows 2000 client has not come out yet. How can I get
> this pix maximize performance without upgrading to the UR, which is what
> cisco recommends which is a 6k investment. Is anypne else running into
these
> issues? Also I have noticed since I am using local authentication, there
is
> no security on my domain, once in all users can map drives , delete and so
> on. I have about 60 users.
>
> Keep in mind that I have global users that use 56k dial up and then pptp
to
> the fw.
>
> TIA
> -Kevin
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
