Solved

Slow network connection with Cisco 871

Posted on 2008-10-20
6
1,853 Views
Last Modified: 2012-05-05
Hello - I recently configured a Cisco 871 for a home network, and it seems that the connection speed to the internet has been drastically slowed down.  I am very new to Cisco routing, and configured it in (what I consider to be) a secure manner.  However, the connection speed to the internet has been drastically slowed down.

When using the testing at speakeasy.net (or speedtest.net or dslreports.com) the DL speeds went from (pre-Cisco) 22,000-27,000 kbits/sec to about 5,000-7,000 kbits/sec.  If I put a machine directly on the Cable modem, I get the 22000-27000 speeds again.  I am convinced it is something I put into the Cisco config that is causing the slowdown.  

If anyone has any ideas, please see the attached config code (sans private info) and let me know what you think!

Thanks!
Building configuration...
 
Current configuration : 13818 bytes
!
! Last configuration change at 21:30:26 NewYork Mon Oct 20 2008 by sysadmin
! NVRAM config last updated at 21:25:17 NewYork Mon Oct 20 2008 by sysadmin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip dhcp excluded-address 172.20.21.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name <removed>
ip name-server 172.20.21.10
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method sdm_ddns1
 HTTP
  add http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
!
crypto pki trustpoint TP-self-signed-1198486151
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1198486151
 revocation-check none
 rsakeypair TP-self-signed-1198486151
!
!
crypto pki certificate chain TP-self-signed-1198486151
 certificate self-signed 01
<removed>
  quit
username sysadmin privilege 15 secret 5 <removed>
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
 match access-group 112
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 104
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 101
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  pass
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  pass
 class type inspect sdm-cls-VPNOutsideToInside-5
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-6
  pass
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key <removed> address <removed>
crypto isakmp key <removed> address <removed>
crypto isakmp key <removed> address <removed>
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description SA1
 set peer <removed>
 set transform-set ESP-3DES-SHA 
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description SA2
 set peer <removed>
 set transform-set ESP-3DES-MD5 
 match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp 
 description SA3
 set peer <removed>
 set transform-set ESP-3DES-SHA 
 match address 110
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip dhcp client update dns server none
 ip ddns update hostname <removed>
 ip ddns update sdm_ddns1
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 172.20.21.1 255.255.255.0
 ip access-group 113 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 172.25.69.0 0.0.0.255
access-list 1 permit 172.20.21.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny   ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 deny   ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 deny   ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63
access-list 100 permit ip 172.20.21.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 172.25.69.0 0.0.0.255 any
access-list 102 permit ip 172.20.21.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host <removed> any
access-list 104 permit ip host <removed> any
access-list 104 permit ip host <removed> any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 108 remark SDM_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit udp host 172.20.21.10 eq domain any
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 22
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 22
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 443
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 443
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq cmd
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq cmd
access-list 113 deny   tcp any host 172.20.21.1 eq telnet
access-list 113 deny   tcp any host 172.20.21.1 eq 22
access-list 113 deny   tcp any host 172.20.21.1 eq www
access-list 113 deny   tcp any host 172.20.21.1 eq 443
access-list 113 deny   tcp any host 172.20.21.1 eq cmd
access-list 113 deny   udp any host 172.20.21.1 eq snmp
access-list 113 permit ip any any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
This is a private system.
-----------------------------------------------------------------------
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175044
ntp server 129.6.15.29 source FastEthernet4
ntp server 129.6.15.28 source FastEthernet4
end

Open in new window

0
Comment
Question by:zagman76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 150 total points
ID: 22764211
You've got some pretty serious class based firewall rules in there, not to mention the VPNs.

The Cisco 871 is not a packet routing monster, it's performance will degrade if you load it up with SPI, VPN and other features.

If you like the added security leave it in and put up with the speed, else remove it all and just use NAT's natural ability of pseudo-firewall.
0
 
LVL 16

Assisted Solution

by:SteveJ
SteveJ earned 150 total points
ID: 22770489
I think you are just overworking your router . . . I also think you could possibly trim down your ACLs and make them more efficient . . . why are you adjusting your mss size? Isn't that usually for transient traffic? And . . . IPSec with 3des is a CPU burner . . .

Good luck,
SteveJ
0
 

Author Comment

by:zagman76
ID: 22770613
I am open to suggestions on how to make them more efficient.  I am not familiar enough with Cisco to do that on my own.  Most of what you see was generated by the SDM (the same for the mss size adjustment).

As far as the IPSec w/3DES - I am restricted to using that, as that is what is required by the System Admins on both of my remote endpoints.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Author Comment

by:zagman76
ID: 22771869
Would I be better off doing an  "ip inspect" rule, rather than the class-maps & policy maps?
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22782952
Like I said before, only use the Stateful Packet Inspection functions if you really want to be tight in security.

NAT provides a sufficient "firewall" for most SOHO users, which your already using.

ip inspect / policy class inspect do the same thing; SPI.
The former one, with a broader, more non-specific class matching config may improve the performance.
0
 

Author Comment

by:zagman76
ID: 22876408
I am splitting the points, as both answers led me to an acceptable solution.  I removed the IPS settings, and I immediately gained a 15-17MBit/s boost in throughput.  
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question