Solved

Cisco 3725 not performing well with Comcast

Posted on 2008-10-27
8
821 Views
Last Modified: 2013-12-14
I recently moved to a area with faster internet access then I
previously had. I am able to connect directly to the cable modem
(comcast) and download starting at 2.0mb/s and it trickles down to
about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
router in the mix router the performance is very poor. It may burst
for a second or two but downloads about 100kb/s and I've repeated
these results on a Vista box and a Apple notebook. Here's my Config
from my router.

Any tips on why I'm having such poor performance with my router would
be greatly appreciated. I have tried disabling the built IDS but that
didn't seem to make a difference.

Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
!
! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese
! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname 3725router
!
boot-start-marker
boot system flash:/c3725-adventerprisek9-mz.124-21.bin
boot-end-marker
!
logging buffered 8192 debugging
logging console informational
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate slot 1
network-clock-participate slot 2
no ip source-route
!
ip traffic-export profile IDS-SNORT
  interface FastEthernet0/0
  bidirectional
  mac-address 000c.2989.f93a
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.2.1
ip dhcp excluded-address 172.16.3.1
!
ip dhcp pool VLAN2clients
   network 172.16.2.0 255.255.255.0
   default-router 172.16.2.1
   option 66 ip 172.16.2.10
   option 150 ip 172.16.2.10
   dns-server 68.87.74.162 68.87.68.162 68.87.73.242
!
ip dhcp pool VLAN3clients
   network 172.16.3.0 255.255.255.0
   default-router 172.16.3.1
   dns-server 68.87.74.162 68.87.68.162 68.87.73.242
!
!
ip domain name neocipher.net
ip name-server 68.87.74.162
ip name-server 68.87.68.162
ip inspect udp idle-time 900
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-995375956
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-995375956
 revocation-check none
 rsakeypair TP-self-signed-995375956
!
!
crypto pki certificate chain TP-self-signed-995375956
 certificate self-signed 01
 
  quit
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
  quit
username rsreese privilege 15 secret 5
!
!
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key address 10.0.0.2 no-xauth
crypto isakmp key address 74.245.61.45 no-xauth
!
crypto isakmp client configuration group VPN-Users
 key
 dns 68.87.74.162 68.87.68.162
 domain neocipher.net
 pool VPN_POOL
 acl 115
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC_PROFILE1
 set transform-set ESP-3DES-SHA
 set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
 set transform-set ESP-3DES-SHA
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
 set peer 10.0.0.2
 set peer 74.245.61.45
 set transform-set ESP-3DES-SHA
 match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 no ip unreachables
 ip virtual-reassembly
!
interface Tunnel0
 description HE.net
 no ip address
 ipv6 address 2001:470:1F06:3B6::2/64
 ipv6 enable
 tunnel source 68.156.61.58
 tunnel destination 209.51.161.14
 tunnel mode ipv6ip
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet0/0 hostname 3725router
 ip access-group 104 in
 no ip unreachables
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map CLIENTMAP
!
interface Serial0/0
 description $FW_OUTSIDE$
 ip address 10.0.0.1 255.255.240.0
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip unreachables
 ip inspect SDM_LOW out
 ip virtual-reassembly
 clock rate 2000000
 crypto map CLIENTMAP
!
interface FastEthernet0/1
 no ip address
 no ip unreachables
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1.2
 description $FW_INSIDE$
 encapsulation dot1Q 2
 ip address 172.16.2.1 255.255.255.0
 ip access-group 101 in
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ipv6 address 2001:470:1F07:3B6::/64 eui-64
 ipv6 enable
 crypto map CLIENTMAP
!
interface FastEthernet0/1.3
 description $FW_INSIDE$
 encapsulation dot1Q 3
 ip address 172.16.3.1 255.255.255.0
 ip access-group 102 in
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1.10
!
interface Serial0/1
 no ip address
 no ip unreachables
 shutdown
 clock rate 2000000
!
interface Virtual-Template1 type tunnel
 description $FW_INSIDE$
 ip unnumbered Loopback0
 ip access-group 103 in
 no ip unreachables
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.10.0 255.255.255.0 10.0.0.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout 900
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging trap debugging
logging origin-id hostname
logging 172.16.2.5
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   tcp any any range 1 chargen log
access-list 101 deny   tcp any any eq whois log
access-list 101 deny   tcp any any eq 93 log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any range exec 518 log
access-list 101 deny   tcp any any eq uucp log
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny   ip host 255.255.255.255 any log
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 172.16.2.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.0.15.255 any
access-list 103 deny   ip 172.16.3.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   icmp any any echo log
access-list 104 deny   icmp any any mask-request log
access-list 104 deny   icmp any any redirect log
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny   ip host 255.255.255.255 any log
access-list 104 deny   tcp any any range 6000 6063 log
access-list 104 deny   tcp any any eq 6667 log
access-list 104 deny   tcp any any range 12345 12346 log
access-list 104 deny   tcp any any eq 31337 log
access-list 104 deny   udp any any eq 2049 log
access-list 104 deny   udp any any eq 31337 log
access-list 104 deny   udp any any range 33400 34400 log
access-list 104 deny   ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny   ip 172.16.2.0 0.0.0.255 any
access-list 105 deny   ip 192.168.0.0 0.0.0.255 any
access-list 105 deny   ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
snmp-server community public RO
ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
ipv6 route ::/0 Tunnel0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7
 transport input ssh
line vty 5 903
 transport input ssh
!
ntp clock-period 17180660
ntp server 129.6.15.29 source FastEthernet0/0 prefer
!
end

Open in new window

0
Comment
Question by:adamshields
  • 4
  • 4
8 Comments
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22812891


You have CBAC running, thats a good thing but how are you checking your perfromance? Does it checkout
with your implemented security policy?

Disable CBAC and see if it makes a difference

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22813657
I tried just disabling the CBAC on the interface and then globally but internet access doesn't work after it's disabled. Is CBAC dependent upon some of the ACL's?

I'm testing the performance by having clients download a file from a dedicated server that does not receive any traffic since it's not in production.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22813707

CBAC is an IOS firewall, all traffic is denied unless explicitly allowed by the ACLs. What protocol are you using to download files?  FTP, HTTP?

harbor235 ;}
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:adamshields
ID: 22813919
Okay I see that. http and scp and I tried another server in a geographically different area which confirms my original results.

I was able to remove ip access-group 104 in and no ip inspect SDM_LOW out and the results are still the same. Any other ideas or tests?
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22814390


So now the question is, are you sure it worked at all? Where is the server that you are testing located?
inside, outside? If inside vlan 2 or vlan3? You have sefveral ACLs to deal with.

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22814743
The clients I test are on vlan2 and vlan3 2.0 and 3.0 accordingly. The servers that I'm testing from are on very fast backbones outside the network.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22815252


ok, but my question remains, are you sure it worked at all? I say that because of the complex setup you have with multiple ACLs and CBAC and IDS/IDP the traffic could be blocked.

Lets start with case 1;

what is the protocol used to test
what is the source network?
what is the destination network? (if u need 2 keep this private thats ok)

However we need whatever pertinent information we can gather to troubleshoot

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22819001
I was going to wait before I posted this to confirm the new findings but the bandwidth has improved significantly. Thank you for you time in helping to resolve this issue! I am still rewarding points due to the effort put forth...
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Power Supply for Linksys Wireless-G Internet Home Monitoring Camera 2 28
Cisco WAP POE power 28 81
Cisco switch suggestion 5 51
Windows NLB support on Cisco Nexus 9000 1 26
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question