zagman76
asked on
Slow network connection with Cisco 871
Hello - I recently configured a Cisco 871 for a home network, and it seems that the connection speed to the internet has been drastically slowed down. I am very new to Cisco routing, and configured it in (what I consider to be) a secure manner. However, the connection speed to the internet has been drastically slowed down.
When using the testing at speakeasy.net (or speedtest.net or dslreports.com) the DL speeds went from (pre-Cisco) 22,000-27,000 kbits/sec to about 5,000-7,000 kbits/sec. If I put a machine directly on the Cable modem, I get the 22000-27000 speeds again. I am convinced it is something I put into the Cisco config that is causing the slowdown.
If anyone has any ideas, please see the attached config code (sans private info) and let me know what you think!
Thanks!
When using the testing at speakeasy.net (or speedtest.net or dslreports.com) the DL speeds went from (pre-Cisco) 22,000-27,000 kbits/sec to about 5,000-7,000 kbits/sec. If I put a machine directly on the Cable modem, I get the 22000-27000 speeds again. I am convinced it is something I put into the Cisco config that is causing the slowdown.
If anyone has any ideas, please see the attached config code (sans private info) and let me know what you think!
Thanks!
Building configuration...
Current configuration : 13818 bytes
!
! Last configuration change at 21:30:26 NewYork Mon Oct 20 2008 by sysadmin
! NVRAM config last updated at 21:25:17 NewYork Mon Oct 20 2008 by sysadmin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip dhcp excluded-address 172.20.21.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name <removed>
ip name-server 172.20.21.10
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method sdm_ddns1
HTTP
add http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://<removed>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
!
crypto pki trustpoint TP-self-signed-1198486151
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1198486151
revocation-check none
rsakeypair TP-self-signed-1198486151
!
!
crypto pki certificate chain TP-self-signed-1198486151
certificate self-signed 01
<removed>
quit
username sysadmin privilege 15 secret 5 <removed>
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 112
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
pass
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
pass
class type inspect sdm-cls-VPNOutsideToInside-5
inspect
class type inspect sdm-cls-VPNOutsideToInside-6
pass
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <removed> address <removed>
crypto isakmp key <removed> address <removed>
crypto isakmp key <removed> address <removed>
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description SA1
set peer <removed>
set transform-set ESP-3DES-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description SA2
set peer <removed>
set transform-set ESP-3DES-MD5
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description SA3
set peer <removed>
set transform-set ESP-3DES-SHA
match address 110
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip dhcp client update dns server none
ip ddns update hostname <removed>
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 172.20.21.1 255.255.255.0
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 172.25.69.0 0.0.0.255
access-list 1 permit 172.20.21.0 0.0.0.255
access-list 1 deny any
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 deny ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 100 remark IPSec Rule
access-list 100 deny ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63
access-list 100 permit ip 172.20.21.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 172.25.69.0 0.0.0.255 any
access-list 102 permit ip 172.20.21.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.20.21.0 0.0.0.255 172.25.69.0 0.0.0.63
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host <removed> any
access-list 104 permit ip host <removed> any
access-list 104 permit ip host <removed> any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.20.21.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 108 remark SDM_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 172.20.21.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.8.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.22.0.0 0.0.255.255 172.20.21.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 172.25.69.0 0.0.0.63 172.20.21.0 0.0.0.255
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit udp host 172.20.21.10 eq domain any
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 22
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 22
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq 443
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq 443
access-list 113 permit tcp 172.20.21.0 0.0.0.255 host 172.20.21.1 eq cmd
access-list 113 permit tcp 172.25.69.0 0.0.0.255 host 172.20.21.1 eq cmd
access-list 113 deny tcp any host 172.20.21.1 eq telnet
access-list 113 deny tcp any host 172.20.21.1 eq 22
access-list 113 deny tcp any host 172.20.21.1 eq www
access-list 113 deny tcp any host 172.20.21.1 eq 443
access-list 113 deny tcp any host 172.20.21.1 eq cmd
access-list 113 deny udp any host 172.20.21.1 eq snmp
access-list 113 permit ip any any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
This is a private system.
-----------------------------------------------------------------------
^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175044
ntp server 129.6.15.29 source FastEthernet4
ntp server 129.6.15.28 source FastEthernet4
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would I be better off doing an "ip inspect" rule, rather than the class-maps & policy maps?
Like I said before, only use the Stateful Packet Inspection functions if you really want to be tight in security.
NAT provides a sufficient "firewall" for most SOHO users, which your already using.
ip inspect / policy class inspect do the same thing; SPI.
The former one, with a broader, more non-specific class matching config may improve the performance.
NAT provides a sufficient "firewall" for most SOHO users, which your already using.
ip inspect / policy class inspect do the same thing; SPI.
The former one, with a broader, more non-specific class matching config may improve the performance.
ASKER
I am splitting the points, as both answers led me to an acceptable solution. I removed the IPS settings, and I immediately gained a 15-17MBit/s boost in throughput.
ASKER
As far as the IPSec w/3DES - I am restricted to using that, as that is what is required by the System Admins on both of my remote endpoints.