Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Poor FTP performance with 837 (http://www.velocityreviews.com/forums/t373982-poor-ftp-performance-with-837-a.html)

John Rennie 10-01-2006 07:01 AM

Poor FTP performance with 837
 
I've found that using FTP to a server behind a Cisco 837 gives poor
performance. The server is published using static NAT:

ip nat inside source static 192.168.168.14 123.123.123.82

with an ACL that includes:

no access-list 111
access-list 111 remark Incoming access from the Internet
...
access-list 111 permit tcp any host 123.123.123.82 eq 21
...
access-list 111 deny ip any any log

I've attached the full config below.

Using the WinXP command line FTP client to connect to the external address,
123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
downloads. But if I go through the LAN to LAN VPN and connect to the LAN
address, 192.168.168.14, I get 75KB download and about 250KB upload, which
matches the ADSLMax line speed of 3Mbps/800Kbps.

My guess is that the VPN bypasses the firewall, and it's the firewall that is
responsible for the poor performance. Is there a way round this? I know the
837 is entry level in Cisco standards, but even a Draytek 2800 at half the
price can do FTP at full speed. Incidentally I've tested this at two of our
remote offices and I get the slow FTP problem at both, so it's not just a duff
router. Also HTTP downloads from the same server through the same 837 runs at
the expected 75KB/sec so the problem seems restricted to FTP, possibly because
the FTP requires secondary connections so it's more work for the firewall?

Anyhow, thanks for any help.

John Rennie

----8<----

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096
enable secret <password>
!
username admin secret 5 <password>
no aaa new-model
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
! PPTP dialins
! ============
!
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
exit
exit
!
interface Virtual-Template1
ip unnumbered Ethernet0
peer default ip address pool default
ppp encrypt mppe auto
ppp authentication ms-chap chap pap
!
ip local pool default 192.168.168.224 192.168.168.239
!
! VPNs
! ====
!
crypto isakmp policy 1
encryption des
hash sha
authentication pre-share
group 1
lifetime 28800
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
! JR
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 111.111.111.214
set transform-set tr-des-sha
match address 120
crypto isakmp key <sharedsecret> address 111.111.111.214
!
no access-list 120
access-list 120 remark Site to Site VPN to John
access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 120 deny ip 192.168.168.0 0.0.0.255 any
!
! Matt
crypto map cm-cryptomap 2 ipsec-isakmp
set peer 111.111.112.53
set transform-set tr-des-sha
match address 121
crypto isakmp key <sharedsecret> address 111.111.112.53
!
no access-list 121
access-list 121 remark Site to Site VPN to Matt
access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 121 deny ip 192.168.168.0 0.0.0.255 any
!
! Paul
! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
crypto map cm-cryptomap 3 ipsec-isakmp
set peer 111.111.113.157
set transform-set tr-des-md5
match address 122
crypto isakmp key <sharedsecret> address 111.111.113.157
!
no access-list 122
access-list 122 remark Site to Site VPN to Paul
access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
access-list 122 deny ip 192.168.255.0 0.0.0.255 any
!
! Use a policy map to prevent NAT through the VPN by routing the VPN
! traffic through the loopback adapter
!
route-map nonat permit 10
match ip address 129
set ip next-hop 1.1.1.2
!
no access-list 129
access-list 129 remark Route VPN traffic through the loopback adapter
access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
!
! Interfaces
! ==========
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.168.254 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map nonat
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password <password>
ppp pap sent-username <username> password <password>
crypto map cm-cryptomap
no ip route-cache
no ip mroute-cache
hold-queue 224 in
!
! NAT
! ===
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static 192.168.168.14 123.123.123.82
ip nat inside source static 192.168.168.2 123.123.123.83
ip nat inside source static 192.168.168.4 123.123.123.84
!
no access-list 102
access-list 102 remark Addresses to NAT behind router
access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
access-list 102 permit ip 192.168.168.0 0.0.0.255 any
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.255.0 255.255.255.0 192.168.168.15
ip http server
no ip http secure-server
!
! Access lists
! ============
!
no access-list 23
access-list 23 remark Allowed to manage the router
access-list 23 permit 192.168.168.0 0.0.0.127
!
no access-list 111
access-list 111 remark Incoming access from the Internet
! ping
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
! VPN
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
! Allow VPN traffic
access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
! Hawthorn through ISA
access-list 111 permit tcp any host 123.123.123.82 eq 21
access-list 111 permit tcp any host 123.123.123.82 eq 25
access-list 111 permit tcp any host 123.123.123.82 eq 80
access-list 111 permit tcp any host 123.123.123.82 eq 443
access-list 111 permit tcp any host 123.123.123.82 eq 53
access-list 111 permit udp any host 123.123.123.82 eq 53
access-list 111 permit tcp any host 123.123.123.82 eq 6666
! Redwood through ISA
access-list 111 permit tcp any host 123.123.123.83 eq 80
access-list 111 permit tcp any host 123.123.123.83 eq 110
access-list 111 permit tcp any host 123.123.123.83 eq 143
access-list 111 permit tcp any host 123.123.123.83 eq 443
! Conker direct
access-list 111 permit tcp any host 123.123.123.84 eq 69
access-list 111 permit udp any host 123.123.123.84 eq 69
! Allow incoming DNS
access-list 111 permit udp any any eq 53
! Allow incoming NTP
access-list 111 permit udp any any eq 123
! Deny the rest
access-list 111 deny ip any any log
!
dialer-list 1 protocol ip permit
!
! SNMP
! ====
snmp-server community public ro
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end


Dev 10-02-2006 08:00 AM

Re: Poor FTP performance with 837
 
Put one more line in your access-list

access-list 111 permit tcp any host 123.123.123.82 eq 20


It might help you.

~/Dev



John Rennie wrote:
> I've found that using FTP to a server behind a Cisco 837 gives poor
> performance. The server is published using static NAT:
>
> ip nat inside source static 192.168.168.14 123.123.123.82
>
> with an ACL that includes:
>
> no access-list 111
> access-list 111 remark Incoming access from the Internet
> ...
> access-list 111 permit tcp any host 123.123.123.82 eq 21
> ...
> access-list 111 deny ip any any log
>
> I've attached the full config below.
>
> Using the WinXP command line FTP client to connect to the external address,
> 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
> downloads. But if I go through the LAN to LAN VPN and connect to the LAN
> address, 192.168.168.14, I get 75KB download and about 250KB upload, which
> matches the ADSLMax line speed of 3Mbps/800Kbps.
>
> My guess is that the VPN bypasses the firewall, and it's the firewall that is
> responsible for the poor performance. Is there a way round this? I know the
> 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
> price can do FTP at full speed. Incidentally I've tested this at two of our
> remote offices and I get the slow FTP problem at both, so it's not just a duff
> router. Also HTTP downloads from the same server through the same 837 runs at
> the expected 75KB/sec so the problem seems restricted to FTP, possibly because
> the FTP requires secondary connections so it's more work for the firewall?
>
> Anyhow, thanks for any help.
>
> John Rennie
>
> ----8<----
>
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname Router
> !
> logging buffered 4096
> enable secret <password>
> !
> username admin secret 5 <password>
> no aaa new-model
> ip subnet-zero
> !
> !
> ip inspect name myfw cuseeme timeout 3600
> ip inspect name myfw ftp timeout 3600
> ip inspect name myfw rcmd timeout 3600
> ip inspect name myfw realaudio timeout 3600
> ip inspect name myfw tftp timeout 30
> ip inspect name myfw udp timeout 15
> ip inspect name myfw tcp timeout 3600
> ip inspect name myfw h323 timeout 3600
> !
> ! PPTP dialins
> ! ============
> !
> vpdn enable
> !
> vpdn-group pptp
> ! Default PPTP VPDN group
> accept-dialin
> protocol pptp
> virtual-template 1
> exit
> exit
> !
> interface Virtual-Template1
> ip unnumbered Ethernet0
> peer default ip address pool default
> ppp encrypt mppe auto
> ppp authentication ms-chap chap pap
> !
> ip local pool default 192.168.168.224 192.168.168.239
> !
> ! VPNs
> ! ====
> !
> crypto isakmp policy 1
> encryption des
> hash sha
> authentication pre-share
> group 1
> lifetime 28800
> !
> crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
> crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
> crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
> crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
> !
> ! JR
> crypto map cm-cryptomap 1 ipsec-isakmp
> set peer 111.111.111.214
> set transform-set tr-des-sha
> match address 120
> crypto isakmp key <sharedsecret> address 111.111.111.214
> !
> no access-list 120
> access-list 120 remark Site to Site VPN to John
> access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
> access-list 120 deny ip 192.168.168.0 0.0.0.255 any
> !
> ! Matt
> crypto map cm-cryptomap 2 ipsec-isakmp
> set peer 111.111.112.53
> set transform-set tr-des-sha
> match address 121
> crypto isakmp key <sharedsecret> address 111.111.112.53
> !
> no access-list 121
> access-list 121 remark Site to Site VPN to Matt
> access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
> access-list 121 deny ip 192.168.168.0 0.0.0.255 any
> !
> ! Paul
> ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
> crypto map cm-cryptomap 3 ipsec-isakmp
> set peer 111.111.113.157
> set transform-set tr-des-md5
> match address 122
> crypto isakmp key <sharedsecret> address 111.111.113.157
> !
> no access-list 122
> access-list 122 remark Site to Site VPN to Paul
> access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
> access-list 122 deny ip 192.168.255.0 0.0.0.255 any
> !
> ! Use a policy map to prevent NAT through the VPN by routing the VPN
> ! traffic through the loopback adapter
> !
> route-map nonat permit 10
> match ip address 129
> set ip next-hop 1.1.1.2
> !
> no access-list 129
> access-list 129 remark Route VPN traffic through the loopback adapter
> access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
> access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
> access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
> !
> ! Interfaces
> ! ==========
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> !
> interface Ethernet0
> ip address 192.168.168.254 255.255.255.0
> ip nat inside
> ip route-cache policy
> ip policy route-map nonat
> no ip mroute-cache
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no ip mroute-cache
> atm vc-per-vp 64
> no atm ilmi-keepalive
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface Dialer1
> ip address negotiated
> ip access-group 111 in
> ip nat outside
> ip inspect myfw out
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication chap pap callin
> ppp chap hostname <username>
> ppp chap password <password>
> ppp pap sent-username <username> password <password>
> crypto map cm-cryptomap
> no ip route-cache
> no ip mroute-cache
> hold-queue 224 in
> !
> ! NAT
> ! ===
> !
> ip nat inside source list 102 interface Dialer1 overload
> ip nat inside source static 192.168.168.14 123.123.123.82
> ip nat inside source static 192.168.168.2 123.123.123.83
> ip nat inside source static 192.168.168.4 123.123.123.84
> !
> no access-list 102
> access-list 102 remark Addresses to NAT behind router
> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
> access-list 102 permit ip 192.168.168.0 0.0.0.255 any
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> ip route 192.168.255.0 255.255.255.0 192.168.168.15
> ip http server
> no ip http secure-server
> !
> ! Access lists
> ! ============
> !
> no access-list 23
> access-list 23 remark Allowed to manage the router
> access-list 23 permit 192.168.168.0 0.0.0.127
> !
> no access-list 111
> access-list 111 remark Incoming access from the Internet
> ! ping
> access-list 111 permit icmp any any administratively-prohibited
> access-list 111 permit icmp any any echo
> access-list 111 permit icmp any any echo-reply
> access-list 111 permit icmp any any packet-too-big
> access-list 111 permit icmp any any time-exceeded
> access-list 111 permit icmp any any traceroute
> access-list 111 permit icmp any any unreachable
> ! VPN
> access-list 111 permit esp any any
> access-list 111 permit udp any any eq isakmp
> access-list 111 permit tcp any any eq 1723
> access-list 111 permit gre any any
> ! Allow VPN traffic
> access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
> access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
> access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
> ! Hawthorn through ISA
> access-list 111 permit tcp any host 123.123.123.82 eq 21
> access-list 111 permit tcp any host 123.123.123.82 eq 25
> access-list 111 permit tcp any host 123.123.123.82 eq 80
> access-list 111 permit tcp any host 123.123.123.82 eq 443
> access-list 111 permit tcp any host 123.123.123.82 eq 53
> access-list 111 permit udp any host 123.123.123.82 eq 53
> access-list 111 permit tcp any host 123.123.123.82 eq 6666
> ! Redwood through ISA
> access-list 111 permit tcp any host 123.123.123.83 eq 80
> access-list 111 permit tcp any host 123.123.123.83 eq 110
> access-list 111 permit tcp any host 123.123.123.83 eq 143
> access-list 111 permit tcp any host 123.123.123.83 eq 443
> ! Conker direct
> access-list 111 permit tcp any host 123.123.123.84 eq 69
> access-list 111 permit udp any host 123.123.123.84 eq 69
> ! Allow incoming DNS
> access-list 111 permit udp any any eq 53
> ! Allow incoming NTP
> access-list 111 permit udp any any eq 123
> ! Deny the rest
> access-list 111 deny ip any any log
> !
> dialer-list 1 protocol ip permit
> !
> ! SNMP
> ! ====
> snmp-server community public ro
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> length 0
> !
> scheduler max-task-time 5000
> !
> end



John Rennie 10-02-2006 04:54 PM

Re: Poor FTP performance with 837
 
Thanks Dev.

Some minor and apparently unrelated changes and one reload later and the
problem seems to have disappeared. I now wait and see if it recurs I suppose!

JR


On 2 Oct 2006 01:00:49 -0700, "Dev" <ovimani@hotmail.com> wrote:

>Put one more line in your access-list
>
>access-list 111 permit tcp any host 123.123.123.82 eq 20
>
>
>It might help you.
>
>~/Dev
>
>
>
>John Rennie wrote:
>> I've found that using FTP to a server behind a Cisco 837 gives poor
>> performance. The server is published using static NAT:
>>
>> ip nat inside source static 192.168.168.14 123.123.123.82
>>
>> with an ACL that includes:
>>
>> no access-list 111
>> access-list 111 remark Incoming access from the Internet
>> ...
>> access-list 111 permit tcp any host 123.123.123.82 eq 21
>> ...
>> access-list 111 deny ip any any log
>>
>> I've attached the full config below.
>>
>> Using the WinXP command line FTP client to connect to the external address,
>> 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
>> downloads. But if I go through the LAN to LAN VPN and connect to the LAN
>> address, 192.168.168.14, I get 75KB download and about 250KB upload, which
>> matches the ADSLMax line speed of 3Mbps/800Kbps.
>>
>> My guess is that the VPN bypasses the firewall, and it's the firewall that is
>> responsible for the poor performance. Is there a way round this? I know the
>> 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
>> price can do FTP at full speed. Incidentally I've tested this at two of our
>> remote offices and I get the slow FTP problem at both, so it's not just a duff
>> router. Also HTTP downloads from the same server through the same 837 runs at
>> the expected 75KB/sec so the problem seems restricted to FTP, possibly because
>> the FTP requires secondary connections so it's more work for the firewall?
>>
>> Anyhow, thanks for any help.
>>
>> John Rennie
>>
>> ----8<----
>>
>> no service pad
>> service timestamps debug uptime
>> service timestamps log uptime
>> service password-encryption
>> !
>> hostname Router
>> !
>> logging buffered 4096
>> enable secret <password>
>> !
>> username admin secret 5 <password>
>> no aaa new-model
>> ip subnet-zero
>> !
>> !
>> ip inspect name myfw cuseeme timeout 3600
>> ip inspect name myfw ftp timeout 3600
>> ip inspect name myfw rcmd timeout 3600
>> ip inspect name myfw realaudio timeout 3600
>> ip inspect name myfw tftp timeout 30
>> ip inspect name myfw udp timeout 15
>> ip inspect name myfw tcp timeout 3600
>> ip inspect name myfw h323 timeout 3600
>> !
>> ! PPTP dialins
>> ! ============
>> !
>> vpdn enable
>> !
>> vpdn-group pptp
>> ! Default PPTP VPDN group
>> accept-dialin
>> protocol pptp



Bod43@hotmail.co.uk 10-02-2006 05:39 PM

Re: Poor FTP performance with 837
 

John Rennie wrote:
> Thanks Dev.
>
> Some minor and apparently unrelated changes and one reload later and the
> problem seems to have disappeared. I now wait and see if it recurs I suppose!
>
> JR
>
>
> On 2 Oct 2006 01:00:49 -0700, "Dev" <ovimani@hotmail.com> wrote:
>
> >Put one more line in your access-list
> >
> >access-list 111 permit tcp any host 123.123.123.82 eq 20
> >
> >
> >It might help you.
> >
> >~/Dev
> >
> >
> >
> >John Rennie wrote:
> >> I've found that using FTP to a server behind a Cisco 837 gives poor
> >> performance. The server is published using static NAT:
> >>
> >> ip nat inside source static 192.168.168.14 123.123.123.82
> >>
> >> with an ACL that includes:
> >>
> >> no access-list 111
> >> access-list 111 remark Incoming access from the Internet
> >> ...
> >> access-list 111 permit tcp any host 123.123.123.82 eq 21
> >> ...
> >> access-list 111 deny ip any any log
> >>
> >> I've attached the full config below.
> >>
> >> Using the WinXP command line FTP client to connect to the external address,
> >> 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
> >> downloads. But if I go through the LAN to LAN VPN and connect to the LAN
> >> address, 192.168.168.14, I get 75KB download and about 250KB upload, which
> >> matches the ADSLMax line speed of 3Mbps/800Kbps.
> >>
> >> My guess is that the VPN bypasses the firewall, and it's the firewall that is
> >> responsible for the poor performance. Is there a way round this? I know the
> >> 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
> >> price can do FTP at full speed. Incidentally I've tested this at two of our
> >> remote offices and I get the slow FTP problem at both, so it's not just a duff
> >> router. Also HTTP downloads from the same server through the same 837 runs at
> >> the expected 75KB/sec so the problem seems restricted to FTP, possibly because
> >> the FTP requires secondary connections so it's more work for the firewall?
> >>
> >> Anyhow, thanks for any help.
> >>
> >> John Rennie
> >>
> >> ----8<----
> >>
> >> no service pad
> >> service timestamps debug uptime
> >> service timestamps log uptime
> >> service password-encryption
> >> !
> >> hostname Router
> >> !
> >> logging buffered 4096
> >> enable secret <password>
> >> !
> >> username admin secret 5 <password>
> >> no aaa new-model
> >> ip subnet-zero
> >> !
> >> !
> >> ip inspect name myfw cuseeme timeout 3600
> >> ip inspect name myfw ftp timeout 3600
> >> ip inspect name myfw rcmd timeout 3600
> >> ip inspect name myfw realaudio timeout 3600
> >> ip inspect name myfw tftp timeout 30
> >> ip inspect name myfw udp timeout 15
> >> ip inspect name myfw tcp timeout 3600
> >> ip inspect name myfw h323 timeout 3600
> >> !
> >> ! PPTP dialins
> >> ! ============
> >> !
> >> vpdn enable
> >> !
> >> vpdn-group pptp
> >> ! Default PPTP VPDN group
> >> accept-dialin
> >> protocol pptp



> >Put one more line in your access-list
> >
> >access-list 111 permit tcp any host 123.123.123.82 eq 20

this is not necessary with
> >> ip inspect name myfw ftp timeout 3600


As the inspect system notices the port that ftp
resuests for it's data transfer.

Or at least it should.

You can check what inspect thinks is happening with
sh ip ins sess

you should see the ftp control and data sessions there.

I have seen a problem with 837 not handling more than
1 packet as the first data transfer of a new TCP session.
This prevented for example successful use of Hotmail. when
you logged in to hotmail a new session got opened and say
2k of data was sent. The second packet was dropped, I gusee since the
inspect system was still getting going.

Turning off fast switching fixed or upgrading the software fixed it.

I would also make sure that I was not getting buffer failures.

sh buff



All times are GMT. The time now is 05:37 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.