Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 3725 not performing well with Comast?

Reply
Thread Tools

Cisco 3725 not performing well with Comast?

 
 
Stephen Reese
Guest
Posts: n/a
 
      10-27-2008
I recently moved to a area with faster internet access then I
previously had. I am able to connect directly to the cable modem
(comcast) and download starting at 2.0mb/s and it trickles down to
about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
router in the mix router the performance is very poor. It may burst
for a second or two but downloads about 100kb/s and I've repeated
these results on a Vista box and a Apple notebook. Here's my Config
from my router.

Any tips on why I'm having such poor performance with my router would
be greatly appreciated. I have tried disabling the built IDS but that
didn't seem to make a difference.

Internet -> F0/0 router F1/1.2 -> host 172.16.2.X


!
! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese
! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname 3725router
!
boot-start-marker
boot system flash:/c3725-adventerprisek9-mz.124-21.bin
boot-end-marker
!
logging buffered 8192 debugging
logging console informational
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate slot 1
network-clock-participate slot 2
no ip source-route
!
ip traffic-export profile IDS-SNORT
interface FastEthernet0/0
bidirectional
mac-address 000c.2989.f93a
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.2.1
ip dhcp excluded-address 172.16.3.1
!
ip dhcp pool VLAN2clients
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
option 66 ip 172.16.2.10
option 150 ip 172.16.2.10
dns-server 68.87.74.162 68.87.68.162 68.87.73.242
!
ip dhcp pool VLAN3clients
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 68.87.74.162 68.87.68.162 68.87.73.242
!
!
ip domain name neocipher.net
ip name-server 68.87.74.162
ip name-server 68.87.68.162
ip inspect udp idle-time 900
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-995375956
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-995375956
revocation-check none
rsakeypair TP-self-signed-995375956
!
!
crypto pki certificate chain TP-self-signed-995375956
certificate self-signed 01

quit
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
quit
username rsreese privilege 15 secret 5
!
!
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key address 10.0.0.2 no-xauth
crypto isakmp key address 74.245.61.45 no-xauth
!
crypto isakmp client configuration group VPN-Users
key
dns 68.87.74.162 68.87.68.162
domain neocipher.net
pool VPN_POOL
acl 115
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
match identity group VPN-Users
client authentication list default
isakmp authorization list default
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
set peer 10.0.0.2
set peer 74.245.61.45
set transform-set ESP-3DES-SHA
match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
no ip unreachables
ip virtual-reassembly
!
interface Tunnel0
description HE.net
no ip address
ipv6 address 2001:470:1F06:3B6::2/64
ipv6 enable
tunnel source 68.156.61.58
tunnel destination 209.51.161.14
tunnel mode ipv6ip
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip access-group 104 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
speed 100
full-duplex
crypto map CLIENTMAP
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 10.0.0.1 255.255.240.0
ip access-group 105 in
ip verify unicast reverse-path
no ip unreachables
ip inspect SDM_LOW out
ip virtual-reassembly
clock rate 2000000
crypto map CLIENTMAP
!
interface FastEthernet0/1
no ip address
no ip unreachables
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F07:3B6::/64 eui-64
ipv6 enable
crypto map CLIENTMAP
!
interface FastEthernet0/1.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip access-group 102 in
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.10
!
interface Serial0/1
no ip address
no ip unreachables
shutdown
clock rate 2000000
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Loopback0
ip access-group 103 in
no ip unreachables
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.10.0 255.255.255.0 10.0.0.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout 900
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging trap debugging
logging origin-id hostname
logging 172.16.2.5
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny tcp any any range 1 chargen log
access-list 101 deny tcp any any eq whois log
access-list 101 deny tcp any any eq 93 log
access-list 101 deny tcp any any range 135 139 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any range exec 518 log
access-list 101 deny tcp any any eq uucp log
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 172.16.2.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.0.15.255 any
access-list 103 deny ip 172.16.3.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny icmp any any echo log
access-list 104 deny icmp any any mask-request log
access-list 104 deny icmp any any redirect log
access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny ip host 255.255.255.255 any log
access-list 104 deny tcp any any range 6000 6063 log
access-list 104 deny tcp any any eq 6667 log
access-list 104 deny tcp any any range 12345 12346 log
access-list 104 deny tcp any any eq 31337 log
access-list 104 deny udp any any eq 2049 log
access-list 104 deny udp any any eq 31337 log
access-list 104 deny udp any any range 33400 34400 log
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny ip 172.16.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
snmp-server community public RO
ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
ipv6 route ::/0 Tunnel0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7
transport input ssh
line vty 5 903
transport input ssh
!
ntp clock-period 17180660
ntp server 129.6.15.29 source FastEthernet0/0 prefer
!
end
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      10-27-2008
Stephen Reese <> writes:
>I recently moved to a area with faster internet access then I
>previously had. I am able to connect directly to the cable modem
>(comcast) and download starting at 2.0mb/s and it trickles down to
>about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
>router in the mix router the performance is very poor. It may burst
>for a second or two but downloads about 100kb/s and I've repeated
>these results on a Vista box and a Apple notebook. Here's my Config
>from my router.

>Any tips on why I'm having such poor performance with my router would
>be greatly appreciated. I have tried disabling the built IDS but that
>didn't seem to make a difference.

I wouldn't expect the IDS/FW/NAT on this box to slow down things that
much, this router can route a few times faster than what Comcast can
deliver.

I don't expect any specific config items to be an issue, but more
physical layer things.

Check your interface for duplex. (ie. show int faste ...) is it
consistant with what you think? Are any errors showing up in the
collisions or late collisions fields?

I suspect you have a duplex mismatch with your cable box and the
router, and these sort of things show up in that sort of error detection.
 
Reply With Quote
 
 
 
 
Scooby
Guest
Posts: n/a
 
      10-27-2008
"Stephen Reese" <> wrote in message
news:fd365a82-429c-40c5-a13f-...
>I recently moved to a area with faster internet access then I
> previously had. I am able to connect directly to the cable modem
> (comcast) and download starting at 2.0mb/s and it trickles down to
> about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
> router in the mix router the performance is very poor. It may burst
> for a second or two but downloads about 100kb/s and I've repeated
> these results on a Vista box and a Apple notebook. Here's my Config
> from my router.
>
> Any tips on why I'm having such poor performance with my router would
> be greatly appreciated. I have tried disabling the built IDS but that
> didn't seem to make a difference.
>
> Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
>
>


Hmmmm, running vpn, firewall, ids, nat, serial interface, access lists,
ipv6, dot1q subinterface routing....

I would suspect a cpu issue here. Try checking memory and cpu when you are
experiencing the slowdown. Also, check your log for any anomolies that
might be happening. My guess is that the vpn is probably taking up a good
part of it, depending on the amount of traffic coming through. Might want
to try turning that off for a test. vpn would be better in a box that was
made for it (encryption done in hardware).

In short, you have a lot happening for this device. You should break off
certain functions into other devices (vpn, serial interface, intervlan
routing) which could help relieve some of the cpu. Or perhaps upgrade. I
would still offload the vpn even if you do upgrade.

Also, I really have an aversion to having a main routing device on my
network be the same router that is connected to the internet.

Just some food for thought.

Jim


 
Reply With Quote
 
Thrill5
Guest
Posts: n/a
 
      10-27-2008
Simple.... Your FastEthernet interface is configured for full-duplex, and
your cable modem is definately set for auto/auto. This causes a duplex
mismatch because auto-detection only works when both sides are set to auto.
If you set duplex on one side, you must set duplex on the other. When one
side is set to auto, and the other-side is set to full-duplex (as is your
case here), the full-duplex side (your router) sets its interface to
full-duplex and turns off auto-detection. The auto side (your cable modem)
is still set to auto-detection, and when the link comes up the full-duplex
side (your router) does not reply to the auto detection phase. The auto
side (your cable modem) then assumes that the other side does not support
auto-detection and falls back to half-duplex.

Remove the "full-duplex" command from the interface and all will be good.




"Stephen Reese" <> wrote in message
news:fd365a82-429c-40c5-a13f-...
>I recently moved to a area with faster internet access then I
> previously had. I am able to connect directly to the cable modem
> (comcast) and download starting at 2.0mb/s and it trickles down to
> about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
> router in the mix router the performance is very poor. It may burst
> for a second or two but downloads about 100kb/s and I've repeated
> these results on a Vista box and a Apple notebook. Here's my Config
> from my router.
>
> Any tips on why I'm having such poor performance with my router would
> be greatly appreciated. I have tried disabling the built IDS but that
> didn't seem to make a difference.
>
> Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
>
>
> !
> ! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese
> ! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime
> service password-encryption
> !
> hostname 3725router
> !
> boot-start-marker
> boot system flash:/c3725-adventerprisek9-mz.124-21.bin
> boot-end-marker
> !
> logging buffered 8192 debugging
> logging console informational
> enable secret 5
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication ppp default local
> aaa authorization exec default local
> aaa authorization network default local
> !
> aaa session-id common
> clock timezone EST -5
> clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
> network-clock-participate slot 1
> network-clock-participate slot 2
> no ip source-route
> !
> ip traffic-export profile IDS-SNORT
> interface FastEthernet0/0
> bidirectional
> mac-address 000c.2989.f93a
> ip cef
> !
> !
> no ip dhcp use vrf connected
> ip dhcp excluded-address 172.16.2.1
> ip dhcp excluded-address 172.16.3.1
> !
> ip dhcp pool VLAN2clients
> network 172.16.2.0 255.255.255.0
> default-router 172.16.2.1
> option 66 ip 172.16.2.10
> option 150 ip 172.16.2.10
> dns-server 68.87.74.162 68.87.68.162 68.87.73.242
> !
> ip dhcp pool VLAN3clients
> network 172.16.3.0 255.255.255.0
> default-router 172.16.3.1
> dns-server 68.87.74.162 68.87.68.162 68.87.73.242
> !
> !
> ip domain name neocipher.net
> ip name-server 68.87.74.162
> ip name-server 68.87.68.162
> ip inspect udp idle-time 900
> ip inspect name SDM_LOW cuseeme
> ip inspect name SDM_LOW dns
> ip inspect name SDM_LOW ftp
> ip inspect name SDM_LOW h323
> ip inspect name SDM_LOW https
> ip inspect name SDM_LOW icmp
> ip inspect name SDM_LOW netshow
> ip inspect name SDM_LOW rcmd
> ip inspect name SDM_LOW realaudio
> ip inspect name SDM_LOW rtsp
> ip inspect name SDM_LOW sqlnet
> ip inspect name SDM_LOW streamworks
> ip inspect name SDM_LOW tftp
> ip inspect name SDM_LOW tcp
> ip inspect name SDM_LOW udp
> ip inspect name SDM_LOW vdolive
> ip inspect name SDM_LOW imap
> ip inspect name SDM_LOW pop3
> ip inspect name SDM_LOW esmtp
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> ip ips sdf location flash://256MB.sdf
> ip ips notify SDEE
> ip ips name sdm_ips_rule
> vpdn enable
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto pki trustpoint TP-self-signed-995375956
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-995375956
> revocation-check none
> rsakeypair TP-self-signed-995375956
> !
> !
> crypto pki certificate chain TP-self-signed-995375956
> certificate self-signed 01
>
> quit
> !
> crypto key pubkey-chain rsa
> named-key realm-cisco.pub signature
> key-string
> quit
> username rsreese privilege 15 secret 5
> !
> !
> ip ssh authentication-retries 2
> !
> !
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key address 10.0.0.2 no-xauth
> crypto isakmp key address 74.245.61.45 no-xauth
> !
> crypto isakmp client configuration group VPN-Users
> key
> dns 68.87.74.162 68.87.68.162
> domain neocipher.net
> pool VPN_POOL
> acl 115
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile IKE-PROFILE
> match identity group VPN-Users
> client authentication list default
> isakmp authorization list default
> client configuration address initiate
> client configuration address respond
> virtual-template 1
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> mode transport
> !
> crypto ipsec profile IPSEC_PROFILE1
> set transform-set ESP-3DES-SHA
> set isakmp-profile IKE-PROFILE
> !
> !
> crypto dynamic-map DYNMAP 10
> set transform-set ESP-3DES-SHA
> !
> !
> crypto map CLIENTMAP client authentication list default
> crypto map CLIENTMAP isakmp authorization list default
> crypto map CLIENTMAP client configuration address respond
> crypto map CLIENTMAP 1 ipsec-isakmp
> set peer 10.0.0.2
> set peer 74.245.61.45
> set transform-set ESP-3DES-SHA
> match address 100
> crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
> !
> !
> !
> !
> interface Loopback0
> ip address 192.168.0.1 255.255.255.0
> no ip unreachables
> ip virtual-reassembly
> !
> interface Tunnel0
> description HE.net
> no ip address
> ipv6 address 2001:470:1F06:3B6::2/64
> ipv6 enable
> tunnel source 68.156.61.58
> tunnel destination 209.51.161.14
> tunnel mode ipv6ip
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0/0
> description $ETH-WAN$$FW_OUTSIDE$
> ip address dhcp client-id FastEthernet0/0 hostname 3725router
> ip access-group 104 in
> no ip unreachables
> ip nat outside
> ip inspect SDM_LOW out
> ip ips sdm_ips_rule in
> ip virtual-reassembly
> speed 100
> full-duplex
> crypto map CLIENTMAP
> !
> interface Serial0/0
> description $FW_OUTSIDE$
> ip address 10.0.0.1 255.255.240.0
> ip access-group 105 in
> ip verify unicast reverse-path
> no ip unreachables
> ip inspect SDM_LOW out
> ip virtual-reassembly
> clock rate 2000000
> crypto map CLIENTMAP
> !
> interface FastEthernet0/1
> no ip address
> no ip unreachables
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface FastEthernet0/1.2
> description $FW_INSIDE$
> encapsulation dot1Q 2
> ip address 172.16.2.1 255.255.255.0
> ip access-group 101 in
> no ip unreachables
> ip nat inside
> ip virtual-reassembly
> ipv6 address 2001:470:1F07:3B6::/64 eui-64
> ipv6 enable
> crypto map CLIENTMAP
> !
> interface FastEthernet0/1.3
> description $FW_INSIDE$
> encapsulation dot1Q 3
> ip address 172.16.3.1 255.255.255.0
> ip access-group 102 in
> no ip unreachables
> ip nat inside
> ip virtual-reassembly
> !
> interface FastEthernet0/1.10
> !
> interface Serial0/1
> no ip address
> no ip unreachables
> shutdown
> clock rate 2000000
> !
> interface Virtual-Template1 type tunnel
> description $FW_INSIDE$
> ip unnumbered Loopback0
> ip access-group 103 in
> no ip unreachables
> ip virtual-reassembly
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile IPSEC_PROFILE1
> !
> ip local pool VPN_POOL 192.168.0.100 192.168.0.105
> ip forward-protocol nd
> ip route 172.16.10.0 255.255.255.0 10.0.0.2
> !
> !
> ip http server
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 600 life 86400 requests 10000
> ip nat translation udp-timeout 900
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> logging trap debugging
> logging origin-id hostname
> logging 172.16.2.5
> access-list 1 permit 172.16.2.0 0.0.0.255
> access-list 1 permit 172.16.3.0 0.0.0.255
> access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
> access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
> access-list 101 remark auto generated by SDM firewall configuration
> access-list 101 remark SDM_ACL Category=1
> access-list 101 permit ahp any host 172.16.2.1
> access-list 101 permit esp any host 172.16.2.1
> access-list 101 permit udp any host 172.16.2.1 eq isakmp
> access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
> access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
> access-list 101 deny ip host 255.255.255.255 any log
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 101 deny tcp any any range 1 chargen log
> access-list 101 deny tcp any any eq whois log
> access-list 101 deny tcp any any eq 93 log
> access-list 101 deny tcp any any range 135 139 log
> access-list 101 deny tcp any any eq 445 log
> access-list 101 deny tcp any any range exec 518 log
> access-list 101 deny tcp any any eq uucp log
> access-list 101 permit ip any any
> access-list 102 remark auto generated by SDM firewall configuration
> access-list 102 remark SDM_ACL Category=1
> access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
> access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 102 deny ip host 255.255.255.255 any log
> access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 102 permit ip any any
> access-list 103 remark auto generated by SDM firewall configuration
> access-list 103 remark SDM_ACL Category=1
> access-list 103 deny ip 172.16.2.0 0.0.0.255 any
> access-list 103 deny ip 10.0.0.0 0.0.15.255 any
> access-list 103 deny ip 172.16.3.0 0.0.0.255 any
> access-list 103 deny ip host 255.255.255.255 any
> access-list 103 deny ip 127.0.0.0 0.255.255.255 any
> access-list 103 permit ip any any
> access-list 104 remark auto generated by SDM firewall configuration
> access-list 104 remark SDM_ACL Category=1
> access-list 104 permit udp host 205.152.132.23 eq domain any
> access-list 104 permit udp host 205.152.144.23 eq domain any
> access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
> access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
> access-list 104 permit ahp any any
> access-list 104 permit esp any any
> access-list 104 permit udp any any eq isakmp
> access-list 104 permit udp any any eq non500-isakmp
> access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
> access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
> access-list 104 permit udp any eq bootps any eq bootpc
> access-list 104 permit icmp any any echo-reply
> access-list 104 permit icmp any any time-exceeded
> access-list 104 permit icmp any any unreachable
> access-list 104 deny icmp any any echo log
> access-list 104 deny icmp any any mask-request log
> access-list 104 deny icmp any any redirect log
> access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
> access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
> access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
> access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
> access-list 104 deny ip host 255.255.255.255 any log
> access-list 104 deny tcp any any range 6000 6063 log
> access-list 104 deny tcp any any eq 6667 log
> access-list 104 deny tcp any any range 12345 12346 log
> access-list 104 deny tcp any any eq 31337 log
> access-list 104 deny udp any any eq 2049 log
> access-list 104 deny udp any any eq 31337 log
> access-list 104 deny udp any any range 33400 34400 log
> access-list 104 deny ip any any log
> access-list 105 remark auto generated by SDM firewall configuration
> access-list 105 remark SDM_ACL Category=1
> access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
> access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
> ntp
> access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
> access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
> access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
> access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
> isakmp
> access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
> access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
> access-list 105 deny ip 172.16.2.0 0.0.0.255 any
> access-list 105 deny ip 192.168.0.0 0.0.0.255 any
> access-list 105 deny ip 172.16.3.0 0.0.0.255 any
> access-list 105 permit icmp any host 10.0.0.1 echo-reply
> access-list 105 permit icmp any host 10.0.0.1 time-exceeded
> access-list 105 permit icmp any host 10.0.0.1 unreachable
> access-list 105 deny ip 10.0.0.0 0.255.255.255 any
> access-list 105 deny ip 172.16.0.0 0.15.255.255 any
> access-list 105 deny ip 192.168.0.0 0.0.255.255 any
> access-list 105 deny ip 127.0.0.0 0.255.255.255 any
> access-list 105 deny ip host 255.255.255.255 any
> access-list 105 deny ip host 0.0.0.0 any
> access-list 105 deny ip any any log
> access-list 115 permit ip 172.16.0.0 0.0.255.255 any
> access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
> access-list 120 permit ip 172.16.0.0 0.0.255.255 any
> snmp-server community public RO
> ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
> ipv6 route ::/0 Tunnel0
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password 7
> transport input ssh
> line vty 5 903
> transport input ssh
> !
> ntp clock-period 17180660
> ntp server 129.6.15.29 source FastEthernet0/0 prefer
> !
> end


 
Reply With Quote
 
 
 
Reply

« about cisco ehternet switch port type | Can connect to PIX 501 with VPN client and ping internal addresses but some issues »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i set up MPPE encryption on cisco 3725 router? ghsu2001@yahoo.com Cisco 0 11-01-2006 02:07 PM
Is NM-4E compatible with Cisco 3725 gautamzone@gmail.com Cisco 1 02-11-2006 05:28 PM
Cisco 3725 and BGP Vincent Aniello Cisco 0 09-27-2004 09:18 PM
Cisco 3725 vs. 3745 router Cisco 9 01-26-2004 04:16 AM
Cisco 3725 and 3745 External Flash Memory Nazgulero Cisco 0 01-08-2004 08:05 PM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top