Solved

Cisco 3725 not performing well with Comcast

Posted on 2008-10-27
8
813 Views
Last Modified: 2013-12-14
I recently moved to a area with faster internet access then I
previously had. I am able to connect directly to the cable modem
(comcast) and download starting at 2.0mb/s and it trickles down to
about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
router in the mix router the performance is very poor. It may burst
for a second or two but downloads about 100kb/s and I've repeated
these results on a Vista box and a Apple notebook. Here's my Config
from my router.

Any tips on why I'm having such poor performance with my router would
be greatly appreciated. I have tried disabling the built IDS but that
didn't seem to make a difference.

Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
!

! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese

! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime

service password-encryption

!

hostname 3725router

!

boot-start-marker

boot system flash:/c3725-adventerprisek9-mz.124-21.bin

boot-end-marker

!

logging buffered 8192 debugging

logging console informational

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network default local

!

aaa session-id common

clock timezone EST -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

network-clock-participate slot 1

network-clock-participate slot 2

no ip source-route

!

ip traffic-export profile IDS-SNORT

  interface FastEthernet0/0

  bidirectional

  mac-address 000c.2989.f93a

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.2.1

ip dhcp excluded-address 172.16.3.1

!

ip dhcp pool VLAN2clients

   network 172.16.2.0 255.255.255.0

   default-router 172.16.2.1

   option 66 ip 172.16.2.10

   option 150 ip 172.16.2.10

   dns-server 68.87.74.162 68.87.68.162 68.87.73.242

!

ip dhcp pool VLAN3clients

   network 172.16.3.0 255.255.255.0

   default-router 172.16.3.1

   dns-server 68.87.74.162 68.87.68.162 68.87.73.242

!

!

ip domain name neocipher.net

ip name-server 68.87.74.162

ip name-server 68.87.68.162

ip inspect udp idle-time 900

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW esmtp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://256MB.sdf

ip ips notify SDEE

ip ips name sdm_ips_rule

vpdn enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-995375956

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-995375956

 revocation-check none

 rsakeypair TP-self-signed-995375956

!

!

crypto pki certificate chain TP-self-signed-995375956

 certificate self-signed 01

 

  quit

!

crypto key pubkey-chain rsa

 named-key realm-cisco.pub signature

  key-string

  quit

username rsreese privilege 15 secret 5

!

!

ip ssh authentication-retries 2

!

!

crypto isakmp policy 3

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 10

 hash md5

 authentication pre-share

crypto isakmp key address 10.0.0.2 no-xauth

crypto isakmp key address 74.245.61.45 no-xauth

!

crypto isakmp client configuration group VPN-Users

 key

 dns 68.87.74.162 68.87.68.162

 domain neocipher.net

 pool VPN_POOL

 acl 115

 include-local-lan

 netmask 255.255.255.0

crypto isakmp profile IKE-PROFILE

   match identity group VPN-Users

   client authentication list default

   isakmp authorization list default

   client configuration address initiate

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 mode transport

!

crypto ipsec profile IPSEC_PROFILE1

 set transform-set ESP-3DES-SHA

 set isakmp-profile IKE-PROFILE

!

!

crypto dynamic-map DYNMAP 10

 set transform-set ESP-3DES-SHA

!

!

crypto map CLIENTMAP client authentication list default

crypto map CLIENTMAP isakmp authorization list default

crypto map CLIENTMAP client configuration address respond

crypto map CLIENTMAP 1 ipsec-isakmp

 set peer 10.0.0.2

 set peer 74.245.61.45

 set transform-set ESP-3DES-SHA

 match address 100

crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

!

!

!

!

interface Loopback0

 ip address 192.168.0.1 255.255.255.0

 no ip unreachables

 ip virtual-reassembly

!

interface Tunnel0

 description HE.net

 no ip address

 ipv6 address 2001:470:1F06:3B6::2/64

 ipv6 enable

 tunnel source 68.156.61.58

 tunnel destination 209.51.161.14

 tunnel mode ipv6ip

!

interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description $ETH-WAN$$FW_OUTSIDE$

 ip address dhcp client-id FastEthernet0/0 hostname 3725router

 ip access-group 104 in

 no ip unreachables

 ip nat outside

 ip inspect SDM_LOW out

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 speed 100

 full-duplex

 crypto map CLIENTMAP

!

interface Serial0/0

 description $FW_OUTSIDE$

 ip address 10.0.0.1 255.255.240.0

 ip access-group 105 in

 ip verify unicast reverse-path

 no ip unreachables

 ip inspect SDM_LOW out

 ip virtual-reassembly

 clock rate 2000000

 crypto map CLIENTMAP

!

interface FastEthernet0/1

 no ip address

 no ip unreachables

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet0/1.2

 description $FW_INSIDE$

 encapsulation dot1Q 2

 ip address 172.16.2.1 255.255.255.0

 ip access-group 101 in

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 ipv6 address 2001:470:1F07:3B6::/64 eui-64

 ipv6 enable

 crypto map CLIENTMAP

!

interface FastEthernet0/1.3

 description $FW_INSIDE$

 encapsulation dot1Q 3

 ip address 172.16.3.1 255.255.255.0

 ip access-group 102 in

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0/1.10

!

interface Serial0/1

 no ip address

 no ip unreachables

 shutdown

 clock rate 2000000

!

interface Virtual-Template1 type tunnel

 description $FW_INSIDE$

 ip unnumbered Loopback0

 ip access-group 103 in

 no ip unreachables

 ip virtual-reassembly

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile IPSEC_PROFILE1

!

ip local pool VPN_POOL 192.168.0.100 192.168.0.105

ip forward-protocol nd

ip route 172.16.10.0 255.255.255.0 10.0.0.2

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat translation udp-timeout 900

ip nat inside source list 1 interface FastEthernet0/0 overload

!

logging trap debugging

logging origin-id hostname

logging 172.16.2.5

access-list 1 permit 172.16.2.0 0.0.0.255

access-list 1 permit 172.16.3.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ahp any host 172.16.2.1

access-list 101 permit esp any host 172.16.2.1

access-list 101 permit udp any host 172.16.2.1 eq isakmp

access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp

access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log

access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log

access-list 101 deny   ip host 255.255.255.255 any log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   tcp any any range 1 chargen log

access-list 101 deny   tcp any any eq whois log

access-list 101 deny   tcp any any eq 93 log

access-list 101 deny   tcp any any range 135 139 log

access-list 101 deny   tcp any any eq 445 log

access-list 101 deny   tcp any any range exec 518 log

access-list 101 deny   tcp any any eq uucp log

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny   ip 172.16.2.0 0.0.0.255 any log

access-list 102 deny   ip 10.0.0.0 0.0.15.255 any log

access-list 102 deny   ip 192.168.0.0 0.0.0.255 any log

access-list 102 deny   ip host 255.255.255.255 any log

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 deny   ip 172.16.2.0 0.0.0.255 any

access-list 103 deny   ip 10.0.0.0 0.0.15.255 any

access-list 103 deny   ip 172.16.3.0 0.0.0.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp host 205.152.132.23 eq domain any

access-list 104 permit udp host 205.152.144.23 eq domain any

access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29

access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp

access-list 104 permit ahp any any

access-list 104 permit esp any any

access-list 104 permit udp any any eq isakmp

access-list 104 permit udp any any eq non500-isakmp

access-list 104 deny   ip 10.0.0.0 0.0.15.255 any log

access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 104 deny   ip 172.16.2.0 0.0.0.255 any log

access-list 104 deny   ip 192.168.0.0 0.0.0.255 any log

access-list 104 deny   ip 172.16.3.0 0.0.0.255 any log

access-list 104 permit udp any eq bootps any eq bootpc

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any unreachable

access-list 104 deny   icmp any any echo log

access-list 104 deny   icmp any any mask-request log

access-list 104 deny   icmp any any redirect log

access-list 104 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 104 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 104 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 104 deny   ip 224.0.0.0 15.255.255.255 any log

access-list 104 deny   ip host 255.255.255.255 any log

access-list 104 deny   tcp any any range 6000 6063 log

access-list 104 deny   tcp any any eq 6667 log

access-list 104 deny   tcp any any range 12345 12346 log

access-list 104 deny   tcp any any eq 31337 log

access-list 104 deny   udp any any eq 2049 log

access-list 104 deny   udp any any eq 31337 log

access-list 104 deny   udp any any range 33400 34400 log

access-list 104 deny   ip any any log

access-list 105 remark auto generated by SDM firewall configuration

access-list 105 remark SDM_ACL Category=1

access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29

access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq

ntp

access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1

access-list 105 permit esp host 10.0.0.2 host 10.0.0.1

access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp

access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-

isakmp

access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp

access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog

access-list 105 deny   ip 172.16.2.0 0.0.0.255 any

access-list 105 deny   ip 192.168.0.0 0.0.0.255 any

access-list 105 deny   ip 172.16.3.0 0.0.0.255 any

access-list 105 permit icmp any host 10.0.0.1 echo-reply

access-list 105 permit icmp any host 10.0.0.1 time-exceeded

access-list 105 permit icmp any host 10.0.0.1 unreachable

access-list 105 deny   ip 10.0.0.0 0.255.255.255 any

access-list 105 deny   ip 172.16.0.0 0.15.255.255 any

access-list 105 deny   ip 192.168.0.0 0.0.255.255 any

access-list 105 deny   ip 127.0.0.0 0.255.255.255 any

access-list 105 deny   ip host 255.255.255.255 any

access-list 105 deny   ip host 0.0.0.0 any

access-list 105 deny   ip any any log

access-list 115 permit ip 172.16.0.0 0.0.255.255 any

access-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 120 permit ip 172.16.0.0 0.0.255.255 any

snmp-server community public RO

ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2

ipv6 route ::/0 Tunnel0

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

 password 7

 transport input ssh

line vty 5 903

 transport input ssh

!

ntp clock-period 17180660

ntp server 129.6.15.29 source FastEthernet0/0 prefer

!

end

Open in new window

0
Comment
Question by:adamshields
  • 4
  • 4
8 Comments
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22812891


You have CBAC running, thats a good thing but how are you checking your perfromance? Does it checkout
with your implemented security policy?

Disable CBAC and see if it makes a difference

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22813657
I tried just disabling the CBAC on the interface and then globally but internet access doesn't work after it's disabled. Is CBAC dependent upon some of the ACL's?

I'm testing the performance by having clients download a file from a dedicated server that does not receive any traffic since it's not in production.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22813707

CBAC is an IOS firewall, all traffic is denied unless explicitly allowed by the ACLs. What protocol are you using to download files?  FTP, HTTP?

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22813919
Okay I see that. http and scp and I tried another server in a geographically different area which confirms my original results.

I was able to remove ip access-group 104 in and no ip inspect SDM_LOW out and the results are still the same. Any other ideas or tests?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 500 total points
ID: 22814390


So now the question is, are you sure it worked at all? Where is the server that you are testing located?
inside, outside? If inside vlan 2 or vlan3? You have sefveral ACLs to deal with.

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22814743
The clients I test are on vlan2 and vlan3 2.0 and 3.0 accordingly. The servers that I'm testing from are on very fast backbones outside the network.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22815252


ok, but my question remains, are you sure it worked at all? I say that because of the complex setup you have with multiple ACLs and CBAC and IDS/IDP the traffic could be blocked.

Lets start with case 1;

what is the protocol used to test
what is the source network?
what is the destination network? (if u need 2 keep this private thats ok)

However we need whatever pertinent information we can gather to troubleshoot

harbor235 ;}
0
 
LVL 3

Author Comment

by:adamshields
ID: 22819001
I was going to wait before I posted this to confirm the new findings but the bandwidth has improved significantly. Thank you for you time in helping to resolve this issue! I am still rewarding points due to the effort put forth...
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now