Hello,
I have a bit of an annoying problem with a Cisco 877 that I cannot seem to get to the bottom of. Last week I changed the config of the ACL on my Cisco 877 to try and improve security, as the previouse ACL on there, that someone else created, was very lax. The next day however, a new problem started to occure. After a few hours, web browsing slows down to the point where most pages stop loading. Other services, such as smtp still seem to work ok though over the same link. If I then do a reload on the router, everything works perfectly again for a few hours, and then the problem returns. My ISP is Demon Internet, the line is ADSL, and I have posted the 2 ACLS below. The first one is the config that was running, and the second is the one that is running now. ACL 100 is applied on Interface Dialer0 IN.
Old ACL
access-list 100 permit tcp any any eq 443
access-list 100 permit ip any host xxx.xxx.xxx.xxx (public IP removed)
access-list 100 permit icmp any any administratively-prohibite
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit udp any eq bootps any eq bootps
access-list 100 permit udp any eq domain any
access-list 100 permit esp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 139
access-list 100 permit udp any any eq netbios-ns
access-list 100 permit udp any any eq netbios-dgm
access-list 100 permit gre any any
access-list 100 deny ip any any
New ACL
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any eq domain any
access-list 100 permit gre any any
access-list 100 permit icmp any any
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 deny ip any any
Can anyone tell me if they think this problem is related to this ACL config, is a router fault or an ISP issue.
Any help much appreciated.
Robert
I have a bit of an annoying problem with a Cisco 877 that I cannot seem to get to the bottom of. Last week I changed the config of the ACL on my Cisco 877 to try and improve security, as the previouse ACL on there, that someone else created, was very lax. The next day however, a new problem started to occure. After a few hours, web browsing slows down to the point where most pages stop loading. Other services, such as smtp still seem to work ok though over the same link. If I then do a reload on the router, everything works perfectly again for a few hours, and then the problem returns. My ISP is Demon Internet, the line is ADSL, and I have posted the 2 ACLS below. The first one is the config that was running, and the second is the one that is running now. ACL 100 is applied on Interface Dialer0 IN.
Old ACL
access-list 100 permit tcp any any eq 443
access-list 100 permit ip any host xxx.xxx.xxx.xxx (public IP removed)
access-list 100 permit icmp any any administratively-prohibite
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit udp any eq bootps any eq bootps
access-list 100 permit udp any eq domain any
access-list 100 permit esp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 139
access-list 100 permit udp any any eq netbios-ns
access-list 100 permit udp any any eq netbios-dgm
access-list 100 permit gre any any
access-list 100 deny ip any any
New ACL
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any eq domain any
access-list 100 permit gre any any
access-list 100 permit icmp any any
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 deny ip any any
Can anyone tell me if they think this problem is related to this ACL config, is a router fault or an ISP issue.
Any help much appreciated.
Robert
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.