1. Check the firewall configuration. No special configuration is found, except for that NAT is enabled on the interface connecting the firewall to the router.
interface Vlanif1 ///Intranet interface
alias Inside VLAN
ip address 10.1.1.2 255.255.255.0
interface Vlanif15 ///Extranet interface
alias Outside VLAN
ip address 192.168.15.2 255.255.255.0
2. Connect a PC to the router on the Internet and configure the PC to ping a public address. No packet is discarded. However, lots of packets are discarded during a ping from the firewall to a public address, but no packet is discarded during a ping in the reverse direction. It is suspected the router implements rate limit for packets received from the firewall interface IP address.
3. Because NAT is enabled on the firewall interface, the source addresses in the packets sent by intranet users to access the Internet are translated into the interface IP address. The router may implement rate limit for packets received from the firewall interface.
4. Disable NAT on the interface and configure a NAT address pool. Configure 255 addresses for the NAT address pool and ensure that the addresses in the NAT address pool are on the same network segment as the firewall interface IP address.
nat address-group 0 192.168.15.1 192.168.15.254
When internet users access the Internet, the network access speed is greatly increased.
The upstream router of the firewall implements rate limit for each IP address, causing intranet users to access the Internet through the same IP address. As a result, the Internet access speed is low.
Disable NAT on the interface and increase the number of addresses in the address pool.