Solved

Slow network connection with Cisco 871

Posted on 2008-10-20
6
1,846 Views
Last Modified: 2012-05-05
Hello - I recently configured a Cisco 871 for a home network, and it seems that the connection speed to the internet has been drastically slowed down.  I am very new to Cisco routing, and configured it in (what I consider to be) a secure manner.  However, the connection speed to the internet has been drastically slowed down.

When using the testing at speakeasy.net (or speedtest.net or dslreports.com) the DL speeds went from (pre-Cisco) 22,000-27,000 kbits/sec to about 5,000-7,000 kbits/sec.  If I put a machine directly on the Cable modem, I get the 22000-27000 speeds again.  I am convinced it is something I put into the Cisco config that is causing the slowdown.  

If anyone has any ideas, please see the attached config code (sans private info) and let me know what you think!

Thanks!
Building configuration...
 

Current configuration : 13818 bytes

!

! Last configuration change at 21:30:26 NewYork Mon Oct 20 2008 by sysadmin

! NVRAM config last updated at 21:25:17 NewYork Mon Oct 20 2008 by sysadmin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname gw1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 <removed>

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local 

!

aaa session-id common

!

resource policy

!

clock timezone NewYork -5

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip source-route

ip cef

!

!

ip dhcp excluded-address 172.20.21.1

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name <removed>

ip name-server 172.20.21.10

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip ddns update method sdm_ddns1

 HTTP

  add http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

!

!

!

crypto pki trustpoint TP-self-signed-1198486151

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1198486151

 revocation-check none

 rsakeypair TP-self-signed-1198486151

!

!

crypto pki certificate chain TP-self-signed-1198486151

 certificate self-signed 01

<removed>

  quit

username sysadmin privilege 15 secret 5 <removed>

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

 match access-group 105

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

 match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

 match access-group 106

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

 match access-group 111

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

 match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-6

 match access-group 112

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

 match access-group 104

 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any SDM-Voice-permit

 match protocol h323

 match protocol skinny

 match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-invalid-src

 match access-group 101

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

 class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

 class type inspect sdm-cls-VPNOutsideToInside-2

  pass

 class type inspect sdm-cls-VPNOutsideToInside-3

  inspect

 class type inspect sdm-cls-VPNOutsideToInside-4

  pass

 class type inspect sdm-cls-VPNOutsideToInside-5

  inspect

 class type inspect sdm-cls-VPNOutsideToInside-6

  pass

 class class-default

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  drop log

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class type inspect SDM-Voice-permit

  inspect

 class class-default

  pass

policy-map type inspect sdm-permit

 class type inspect SDM_VPN_PT

  pass

 class class-default

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-VPNOutsideToInside-1

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key <removed> address <removed>

crypto isakmp key <removed> address <removed>

crypto isakmp key <removed> address <removed>

crypto isakmp keepalive 3600

crypto isakmp aggressive-mode disable

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description SA1

 set peer <removed>

 set transform-set ESP-3DES-SHA 

 match address 103

crypto map SDM_CMAP_1 2 ipsec-isakmp 

 description SA2

 set peer <removed>

 set transform-set ESP-3DES-MD5 

 match address 107

crypto map SDM_CMAP_1 3 ipsec-isakmp 

 description SA3

 set peer <removed>

 set transform-set ESP-3DES-SHA 

 match address 110

!

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

 ip dhcp client update dns server none

 ip ddns update hostname <removed>

 ip ddns update sdm_ddns1

 ip address dhcp client-id FastEthernet4

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 ip route-cache flow

 duplex auto

 speed auto

 crypto map SDM_CMAP_1

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

 ip address 172.20.21.1 255.255.255.0

 ip access-group 113 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip flow egress

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent

!

ip flow-top-talkers

 top 20

 sort-by bytes

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

 remark SDM_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark SDM_ACL Category=1

 permit esp any any

!

logging trap debugging

access-list 1 remark HTTP Access-class list

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 172.25.69.0 0.0.0.255

access-list 1 permit 172.20.21.0 0.0.0.255

access-list 1 deny   any

access-list 100 remark SDM_ACL Category=2

access-list 100 remark IPSec Rule

access-list 100 deny   ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 100 remark IPSec Rule

access-list 100 deny   ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255

access-list 100 remark IPSec Rule

access-list 100 deny   ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63

access-list 100 permit ip 172.20.21.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 remark VTY Access-class list

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 172.25.69.0 0.0.0.255 any

access-list 102 permit ip 172.20.21.0 0.0.0.255 any

access-list 102 deny   ip any any

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63

access-list 104 remark SDM_ACL Category=128

access-list 104 permit ip host <removed> any

access-list 104 permit ip host <removed> any

access-list 104 permit ip host <removed> any

access-list 105 remark SDM_ACL Category=0

access-list 105 remark IPSec Rule

access-list 105 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 106 remark SDM_ACL Category=0

access-list 106 remark IPSec Rule

access-list 106 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 107 remark SDM_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255

access-list 108 remark SDM_ACL Category=0

access-list 108 remark IPSec Rule

access-list 108 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 108 remark IPSec Rule

access-list 108 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 109 remark SDM_ACL Category=0

access-list 109 remark IPSec Rule

access-list 109 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 109 remark IPSec Rule

access-list 109 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 110 remark SDM_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 111 remark SDM_ACL Category=0

access-list 111 remark IPSec Rule

access-list 111 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 111 remark IPSec Rule

access-list 111 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 111 remark IPSec Rule

access-list 111 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 112 remark SDM_ACL Category=0

access-list 112 remark IPSec Rule

access-list 112 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 112 remark IPSec Rule

access-list 112 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255

access-list 112 remark IPSec Rule

access-list 112 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255

access-list 113 remark Auto generated by SDM Management Access feature

access-list 113 remark SDM_ACL Category=1

access-list 113 permit udp host 172.20.21.10 eq domain any

access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 22

access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 22

access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 443

access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 443

access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq cmd

access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq cmd

access-list 113 deny   tcp any host 172.20.21.1 eq telnet

access-list 113 deny   tcp any host 172.20.21.1 eq 22

access-list 113 deny   tcp any host 172.20.21.1 eq www

access-list 113 deny   tcp any host 172.20.21.1 eq 443

access-list 113 deny   tcp any host 172.20.21.1 eq cmd

access-list 113 deny   udp any host 172.20.21.1 eq snmp

access-list 113 permit ip any any

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

 match ip address 100

!

!

control-plane

!

banner login ^C

-----------------------------------------------------------------------

This is a private system.

-----------------------------------------------------------------------

^C

!

line con 0

 login authentication local_authen

 no modem enable

 transport output telnet

line aux 0

 login authentication local_authen

 transport output telnet

line vty 0 4

 access-class 102 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17175044

ntp server 129.6.15.29 source FastEthernet4

ntp server 129.6.15.28 source FastEthernet4

end

Open in new window

0
Comment
Question by:zagman76
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 150 total points
ID: 22764211
You've got some pretty serious class based firewall rules in there, not to mention the VPNs.

The Cisco 871 is not a packet routing monster, it's performance will degrade if you load it up with SPI, VPN and other features.

If you like the added security leave it in and put up with the speed, else remove it all and just use NAT's natural ability of pseudo-firewall.
0
 
LVL 16

Assisted Solution

by:SteveJ
SteveJ earned 150 total points
ID: 22770489
I think you are just overworking your router . . . I also think you could possibly trim down your ACLs and make them more efficient . . . why are you adjusting your mss size? Isn't that usually for transient traffic? And . . . IPSec with 3des is a CPU burner . . .

Good luck,
SteveJ
0
 

Author Comment

by:zagman76
ID: 22770613
I am open to suggestions on how to make them more efficient.  I am not familiar enough with Cisco to do that on my own.  Most of what you see was generated by the SDM (the same for the mss size adjustment).

As far as the IPSec w/3DES - I am restricted to using that, as that is what is required by the System Admins on both of my remote endpoints.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:zagman76
ID: 22771869
Would I be better off doing an  "ip inspect" rule, rather than the class-maps & policy maps?
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22782952
Like I said before, only use the Stateful Packet Inspection functions if you really want to be tight in security.

NAT provides a sufficient "firewall" for most SOHO users, which your already using.

ip inspect / policy class inspect do the same thing; SPI.
The former one, with a broader, more non-specific class matching config may improve the performance.
0
 

Author Comment

by:zagman76
ID: 22876408
I am splitting the points, as both answers led me to an acceptable solution.  I removed the IPS settings, and I immediately gained a 15-17MBit/s boost in throughput.  
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Issue with  IP address/conflict 10 47
Simple Guest VLAN Help 17 36
Sonicwall NSA240 AppFlow 2 30
svg file 10 37
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now