Cisco 3725 not performing well with Comast?

Discussion in 'Cisco' started by Stephen Reese, Oct 27, 2008.

  1. I recently moved to a area with faster internet access then I
    previously had. I am able to connect directly to the cable modem
    (comcast) and download starting at 2.0mb/s and it trickles down to
    about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
    router in the mix router the performance is very poor. It may burst
    for a second or two but downloads about 100kb/s and I've repeated
    these results on a Vista box and a Apple notebook. Here's my Config
    from my router.

    Any tips on why I'm having such poor performance with my router would
    be greatly appreciated. I have tried disabling the built IDS but that
    didn't seem to make a difference.

    Internet -> F0/0 router F1/1.2 -> host 172.16.2.X


    !
    ! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese
    ! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime
    service password-encryption
    !
    hostname 3725router
    !
    boot-start-marker
    boot system flash:/c3725-adventerprisek9-mz.124-21.bin
    boot-end-marker
    !
    logging buffered 8192 debugging
    logging console informational
    enable secret 5
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    !
    aaa session-id common
    clock timezone EST -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    network-clock-participate slot 1
    network-clock-participate slot 2
    no ip source-route
    !
    ip traffic-export profile IDS-SNORT
    interface FastEthernet0/0
    bidirectional
    mac-address 000c.2989.f93a
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.2.1
    ip dhcp excluded-address 172.16.3.1
    !
    ip dhcp pool VLAN2clients
    network 172.16.2.0 255.255.255.0
    default-router 172.16.2.1
    option 66 ip 172.16.2.10
    option 150 ip 172.16.2.10
    dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    !
    ip dhcp pool VLAN3clients
    network 172.16.3.0 255.255.255.0
    default-router 172.16.3.1
    dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    !
    !
    ip domain name neocipher.net
    ip name-server 68.87.74.162
    ip name-server 68.87.68.162
    ip inspect udp idle-time 900
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW esmtp
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip ips sdf location flash://256MB.sdf
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    vpdn enable
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-995375956
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-995375956
    revocation-check none
    rsakeypair TP-self-signed-995375956
    !
    !
    crypto pki certificate chain TP-self-signed-995375956
    certificate self-signed 01

    quit
    !
    crypto key pubkey-chain rsa
    named-key realm-cisco.pub signature
    key-string
    quit
    username rsreese privilege 15 secret 5
    !
    !
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key address 10.0.0.2 no-xauth
    crypto isakmp key address 74.245.61.45 no-xauth
    !
    crypto isakmp client configuration group VPN-Users
    key
    dns 68.87.74.162 68.87.68.162
    domain neocipher.net
    pool VPN_POOL
    acl 115
    include-local-lan
    netmask 255.255.255.0
    crypto isakmp profile IKE-PROFILE
    match identity group VPN-Users
    client authentication list default
    isakmp authorization list default
    client configuration address initiate
    client configuration address respond
    virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile IPSEC_PROFILE1
    set transform-set ESP-3DES-SHA
    set isakmp-profile IKE-PROFILE
    !
    !
    crypto dynamic-map DYNMAP 10
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map CLIENTMAP client authentication list default
    crypto map CLIENTMAP isakmp authorization list default
    crypto map CLIENTMAP client configuration address respond
    crypto map CLIENTMAP 1 ipsec-isakmp
    set peer 10.0.0.2
    set peer 74.245.61.45
    set transform-set ESP-3DES-SHA
    match address 100
    crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
    !
    !
    !
    !
    interface Loopback0
    ip address 192.168.0.1 255.255.255.0
    no ip unreachables
    ip virtual-reassembly
    !
    interface Tunnel0
    description HE.net
    no ip address
    ipv6 address 2001:470:1F06:3B6::2/64
    ipv6 enable
    tunnel source 68.156.61.58
    tunnel destination 209.51.161.14
    tunnel mode ipv6ip
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description $ETH-WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet0/0 hostname 3725router
    ip access-group 104 in
    no ip unreachables
    ip nat outside
    ip inspect SDM_LOW out
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    speed 100
    full-duplex
    crypto map CLIENTMAP
    !
    interface Serial0/0
    description $FW_OUTSIDE$
    ip address 10.0.0.1 255.255.240.0
    ip access-group 105 in
    ip verify unicast reverse-path
    no ip unreachables
    ip inspect SDM_LOW out
    ip virtual-reassembly
    clock rate 2000000
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1
    no ip address
    no ip unreachables
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    description $FW_INSIDE$
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip access-group 101 in
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ipv6 address 2001:470:1F07:3B6::/64 eui-64
    ipv6 enable
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1.3
    description $FW_INSIDE$
    encapsulation dot1Q 3
    ip address 172.16.3.1 255.255.255.0
    ip access-group 102 in
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    !
    interface FastEthernet0/1.10
    !
    interface Serial0/1
    no ip address
    no ip unreachables
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1 type tunnel
    description $FW_INSIDE$
    ip unnumbered Loopback0
    ip access-group 103 in
    no ip unreachables
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile IPSEC_PROFILE1
    !
    ip local pool VPN_POOL 192.168.0.100 192.168.0.105
    ip forward-protocol nd
    ip route 172.16.10.0 255.255.255.0 10.0.0.2
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat translation udp-timeout 900
    ip nat inside source list 1 interface FastEthernet0/0 overload
    !
    logging trap debugging
    logging origin-id hostname
    logging 172.16.2.5
    access-list 1 permit 172.16.2.0 0.0.0.255
    access-list 1 permit 172.16.3.0 0.0.0.255
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ahp any host 172.16.2.1
    access-list 101 permit esp any host 172.16.2.1
    access-list 101 permit udp any host 172.16.2.1 eq isakmp
    access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
    access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 101 deny ip host 255.255.255.255 any log
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 101 deny tcp any any range 1 chargen log
    access-list 101 deny tcp any any eq whois log
    access-list 101 deny tcp any any eq 93 log
    access-list 101 deny tcp any any range 135 139 log
    access-list 101 deny tcp any any eq 445 log
    access-list 101 deny tcp any any range exec 518 log
    access-list 101 deny tcp any any eq uucp log
    access-list 101 permit ip any any
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 102 deny ip host 255.255.255.255 any log
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 102 permit ip any any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 deny ip 172.16.2.0 0.0.0.255 any
    access-list 103 deny ip 10.0.0.0 0.0.15.255 any
    access-list 103 deny ip 172.16.3.0 0.0.0.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 permit ip any any
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 permit udp host 205.152.132.23 eq domain any
    access-list 104 permit udp host 205.152.144.23 eq domain any
    access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
    access-list 104 permit ahp any any
    access-list 104 permit esp any any
    access-list 104 permit udp any any eq isakmp
    access-list 104 permit udp any any eq non500-isakmp
    access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
    access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
    access-list 104 permit udp any eq bootps any eq bootpc
    access-list 104 permit icmp any any echo-reply
    access-list 104 permit icmp any any time-exceeded
    access-list 104 permit icmp any any unreachable
    access-list 104 deny icmp any any echo log
    access-list 104 deny icmp any any mask-request log
    access-list 104 deny icmp any any redirect log
    access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
    access-list 104 deny ip host 255.255.255.255 any log
    access-list 104 deny tcp any any range 6000 6063 log
    access-list 104 deny tcp any any eq 6667 log
    access-list 104 deny tcp any any range 12345 12346 log
    access-list 104 deny tcp any any eq 31337 log
    access-list 104 deny udp any any eq 2049 log
    access-list 104 deny udp any any eq 31337 log
    access-list 104 deny udp any any range 33400 34400 log
    access-list 104 deny ip any any log
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
    ntp
    access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
    access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
    isakmp
    access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
    access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
    access-list 105 deny ip 172.16.2.0 0.0.0.255 any
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    access-list 105 deny ip 172.16.3.0 0.0.0.255 any
    access-list 105 permit icmp any host 10.0.0.1 echo-reply
    access-list 105 permit icmp any host 10.0.0.1 time-exceeded
    access-list 105 permit icmp any host 10.0.0.1 unreachable
    access-list 105 deny ip 10.0.0.0 0.255.255.255 any
    access-list 105 deny ip 172.16.0.0 0.15.255.255 any
    access-list 105 deny ip 192.168.0.0 0.0.255.255 any
    access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    access-list 105 deny ip host 255.255.255.255 any
    access-list 105 deny ip host 0.0.0.0 any
    access-list 105 deny ip any any log
    access-list 115 permit ip 172.16.0.0 0.0.255.255 any
    access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    snmp-server community public RO
    ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
    ipv6 route ::/0 Tunnel0
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7
    transport input ssh
    line vty 5 903
    transport input ssh
    !
    ntp clock-period 17180660
    ntp server 129.6.15.29 source FastEthernet0/0 prefer
    !
    end
    Stephen Reese, Oct 27, 2008
    #1
    1. Advertising

  2. Stephen Reese <> writes:
    >I recently moved to a area with faster internet access then I
    >previously had. I am able to connect directly to the cable modem
    >(comcast) and download starting at 2.0mb/s and it trickles down to
    >about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
    >router in the mix router the performance is very poor. It may burst
    >for a second or two but downloads about 100kb/s and I've repeated
    >these results on a Vista box and a Apple notebook. Here's my Config
    >from my router.


    >Any tips on why I'm having such poor performance with my router would
    >be greatly appreciated. I have tried disabling the built IDS but that
    >didn't seem to make a difference.


    I wouldn't expect the IDS/FW/NAT on this box to slow down things that
    much, this router can route a few times faster than what Comcast can
    deliver.

    I don't expect any specific config items to be an issue, but more
    physical layer things.

    Check your interface for duplex. (ie. show int faste ...) is it
    consistant with what you think? Are any errors showing up in the
    collisions or late collisions fields?

    I suspect you have a duplex mismatch with your cable box and the
    router, and these sort of things show up in that sort of error detection.
    Doug McIntyre, Oct 27, 2008
    #2
    1. Advertising

  3. Stephen Reese

    Scooby Guest

    "Stephen Reese" <> wrote in message
    news:...
    >I recently moved to a area with faster internet access then I
    > previously had. I am able to connect directly to the cable modem
    > (comcast) and download starting at 2.0mb/s and it trickles down to
    > about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
    > router in the mix router the performance is very poor. It may burst
    > for a second or two but downloads about 100kb/s and I've repeated
    > these results on a Vista box and a Apple notebook. Here's my Config
    > from my router.
    >
    > Any tips on why I'm having such poor performance with my router would
    > be greatly appreciated. I have tried disabling the built IDS but that
    > didn't seem to make a difference.
    >
    > Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
    >
    >



    Hmmmm, running vpn, firewall, ids, nat, serial interface, access lists,
    ipv6, dot1q subinterface routing....

    I would suspect a cpu issue here. Try checking memory and cpu when you are
    experiencing the slowdown. Also, check your log for any anomolies that
    might be happening. My guess is that the vpn is probably taking up a good
    part of it, depending on the amount of traffic coming through. Might want
    to try turning that off for a test. vpn would be better in a box that was
    made for it (encryption done in hardware).

    In short, you have a lot happening for this device. You should break off
    certain functions into other devices (vpn, serial interface, intervlan
    routing) which could help relieve some of the cpu. Or perhaps upgrade. I
    would still offload the vpn even if you do upgrade.

    Also, I really have an aversion to having a main routing device on my
    network be the same router that is connected to the internet.

    Just some food for thought.

    Jim
    Scooby, Oct 27, 2008
    #3
  4. Stephen Reese

    Thrill5 Guest

    Simple.... Your FastEthernet interface is configured for full-duplex, and
    your cable modem is definately set for auto/auto. This causes a duplex
    mismatch because auto-detection only works when both sides are set to auto.
    If you set duplex on one side, you must set duplex on the other. When one
    side is set to auto, and the other-side is set to full-duplex (as is your
    case here), the full-duplex side (your router) sets its interface to
    full-duplex and turns off auto-detection. The auto side (your cable modem)
    is still set to auto-detection, and when the link comes up the full-duplex
    side (your router) does not reply to the auto detection phase. The auto
    side (your cable modem) then assumes that the other side does not support
    auto-detection and falls back to half-duplex.

    Remove the "full-duplex" command from the interface and all will be good.




    "Stephen Reese" <> wrote in message
    news:...
    >I recently moved to a area with faster internet access then I
    > previously had. I am able to connect directly to the cable modem
    > (comcast) and download starting at 2.0mb/s and it trickles down to
    > about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725
    > router in the mix router the performance is very poor. It may burst
    > for a second or two but downloads about 100kb/s and I've repeated
    > these results on a Vista box and a Apple notebook. Here's my Config
    > from my router.
    >
    > Any tips on why I'm having such poor performance with my router would
    > be greatly appreciated. I have tried disabling the built IDS but that
    > didn't seem to make a difference.
    >
    > Internet -> F0/0 router F1/1.2 -> host 172.16.2.X
    >
    >
    > !
    > ! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese
    > ! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese
    > !
    > version 12.4
    > service timestamps debug datetime msec
    > service timestamps log datetime
    > service password-encryption
    > !
    > hostname 3725router
    > !
    > boot-start-marker
    > boot system flash:/c3725-adventerprisek9-mz.124-21.bin
    > boot-end-marker
    > !
    > logging buffered 8192 debugging
    > logging console informational
    > enable secret 5
    > !
    > aaa new-model
    > !
    > !
    > aaa authentication login default local
    > aaa authentication ppp default local
    > aaa authorization exec default local
    > aaa authorization network default local
    > !
    > aaa session-id common
    > clock timezone EST -5
    > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    > network-clock-participate slot 1
    > network-clock-participate slot 2
    > no ip source-route
    > !
    > ip traffic-export profile IDS-SNORT
    > interface FastEthernet0/0
    > bidirectional
    > mac-address 000c.2989.f93a
    > ip cef
    > !
    > !
    > no ip dhcp use vrf connected
    > ip dhcp excluded-address 172.16.2.1
    > ip dhcp excluded-address 172.16.3.1
    > !
    > ip dhcp pool VLAN2clients
    > network 172.16.2.0 255.255.255.0
    > default-router 172.16.2.1
    > option 66 ip 172.16.2.10
    > option 150 ip 172.16.2.10
    > dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    > !
    > ip dhcp pool VLAN3clients
    > network 172.16.3.0 255.255.255.0
    > default-router 172.16.3.1
    > dns-server 68.87.74.162 68.87.68.162 68.87.73.242
    > !
    > !
    > ip domain name neocipher.net
    > ip name-server 68.87.74.162
    > ip name-server 68.87.68.162
    > ip inspect udp idle-time 900
    > ip inspect name SDM_LOW cuseeme
    > ip inspect name SDM_LOW dns
    > ip inspect name SDM_LOW ftp
    > ip inspect name SDM_LOW h323
    > ip inspect name SDM_LOW https
    > ip inspect name SDM_LOW icmp
    > ip inspect name SDM_LOW netshow
    > ip inspect name SDM_LOW rcmd
    > ip inspect name SDM_LOW realaudio
    > ip inspect name SDM_LOW rtsp
    > ip inspect name SDM_LOW sqlnet
    > ip inspect name SDM_LOW streamworks
    > ip inspect name SDM_LOW tftp
    > ip inspect name SDM_LOW tcp
    > ip inspect name SDM_LOW udp
    > ip inspect name SDM_LOW vdolive
    > ip inspect name SDM_LOW imap
    > ip inspect name SDM_LOW pop3
    > ip inspect name SDM_LOW esmtp
    > ip auth-proxy max-nodata-conns 3
    > ip admission max-nodata-conns 3
    > ip ips sdf location flash://256MB.sdf
    > ip ips notify SDEE
    > ip ips name sdm_ips_rule
    > vpdn enable
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > crypto pki trustpoint TP-self-signed-995375956
    > enrollment selfsigned
    > subject-name cn=IOS-Self-Signed-Certificate-995375956
    > revocation-check none
    > rsakeypair TP-self-signed-995375956
    > !
    > !
    > crypto pki certificate chain TP-self-signed-995375956
    > certificate self-signed 01
    >
    > quit
    > !
    > crypto key pubkey-chain rsa
    > named-key realm-cisco.pub signature
    > key-string
    > quit
    > username rsreese privilege 15 secret 5
    > !
    > !
    > ip ssh authentication-retries 2
    > !
    > !
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp policy 10
    > hash md5
    > authentication pre-share
    > crypto isakmp key address 10.0.0.2 no-xauth
    > crypto isakmp key address 74.245.61.45 no-xauth
    > !
    > crypto isakmp client configuration group VPN-Users
    > key
    > dns 68.87.74.162 68.87.68.162
    > domain neocipher.net
    > pool VPN_POOL
    > acl 115
    > include-local-lan
    > netmask 255.255.255.0
    > crypto isakmp profile IKE-PROFILE
    > match identity group VPN-Users
    > client authentication list default
    > isakmp authorization list default
    > client configuration address initiate
    > client configuration address respond
    > virtual-template 1
    > !
    > !
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > mode transport
    > !
    > crypto ipsec profile IPSEC_PROFILE1
    > set transform-set ESP-3DES-SHA
    > set isakmp-profile IKE-PROFILE
    > !
    > !
    > crypto dynamic-map DYNMAP 10
    > set transform-set ESP-3DES-SHA
    > !
    > !
    > crypto map CLIENTMAP client authentication list default
    > crypto map CLIENTMAP isakmp authorization list default
    > crypto map CLIENTMAP client configuration address respond
    > crypto map CLIENTMAP 1 ipsec-isakmp
    > set peer 10.0.0.2
    > set peer 74.245.61.45
    > set transform-set ESP-3DES-SHA
    > match address 100
    > crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
    > !
    > !
    > !
    > !
    > interface Loopback0
    > ip address 192.168.0.1 255.255.255.0
    > no ip unreachables
    > ip virtual-reassembly
    > !
    > interface Tunnel0
    > description HE.net
    > no ip address
    > ipv6 address 2001:470:1F06:3B6::2/64
    > ipv6 enable
    > tunnel source 68.156.61.58
    > tunnel destination 209.51.161.14
    > tunnel mode ipv6ip
    > !
    > interface Null0
    > no ip unreachables
    > !
    > interface FastEthernet0/0
    > description $ETH-WAN$$FW_OUTSIDE$
    > ip address dhcp client-id FastEthernet0/0 hostname 3725router
    > ip access-group 104 in
    > no ip unreachables
    > ip nat outside
    > ip inspect SDM_LOW out
    > ip ips sdm_ips_rule in
    > ip virtual-reassembly
    > speed 100
    > full-duplex
    > crypto map CLIENTMAP
    > !
    > interface Serial0/0
    > description $FW_OUTSIDE$
    > ip address 10.0.0.1 255.255.240.0
    > ip access-group 105 in
    > ip verify unicast reverse-path
    > no ip unreachables
    > ip inspect SDM_LOW out
    > ip virtual-reassembly
    > clock rate 2000000
    > crypto map CLIENTMAP
    > !
    > interface FastEthernet0/1
    > no ip address
    > no ip unreachables
    > ip virtual-reassembly
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet0/1.2
    > description $FW_INSIDE$
    > encapsulation dot1Q 2
    > ip address 172.16.2.1 255.255.255.0
    > ip access-group 101 in
    > no ip unreachables
    > ip nat inside
    > ip virtual-reassembly
    > ipv6 address 2001:470:1F07:3B6::/64 eui-64
    > ipv6 enable
    > crypto map CLIENTMAP
    > !
    > interface FastEthernet0/1.3
    > description $FW_INSIDE$
    > encapsulation dot1Q 3
    > ip address 172.16.3.1 255.255.255.0
    > ip access-group 102 in
    > no ip unreachables
    > ip nat inside
    > ip virtual-reassembly
    > !
    > interface FastEthernet0/1.10
    > !
    > interface Serial0/1
    > no ip address
    > no ip unreachables
    > shutdown
    > clock rate 2000000
    > !
    > interface Virtual-Template1 type tunnel
    > description $FW_INSIDE$
    > ip unnumbered Loopback0
    > ip access-group 103 in
    > no ip unreachables
    > ip virtual-reassembly
    > tunnel mode ipsec ipv4
    > tunnel protection ipsec profile IPSEC_PROFILE1
    > !
    > ip local pool VPN_POOL 192.168.0.100 192.168.0.105
    > ip forward-protocol nd
    > ip route 172.16.10.0 255.255.255.0 10.0.0.2
    > !
    > !
    > ip http server
    > ip http authentication local
    > ip http secure-server
    > ip http timeout-policy idle 600 life 86400 requests 10000
    > ip nat translation udp-timeout 900
    > ip nat inside source list 1 interface FastEthernet0/0 overload
    > !
    > logging trap debugging
    > logging origin-id hostname
    > logging 172.16.2.5
    > access-list 1 permit 172.16.2.0 0.0.0.255
    > access-list 1 permit 172.16.3.0 0.0.0.255
    > access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    > access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
    > access-list 101 remark auto generated by SDM firewall configuration
    > access-list 101 remark SDM_ACL Category=1
    > access-list 101 permit ahp any host 172.16.2.1
    > access-list 101 permit esp any host 172.16.2.1
    > access-list 101 permit udp any host 172.16.2.1 eq isakmp
    > access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
    > access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    > access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
    > access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    > access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
    > access-list 101 deny ip host 255.255.255.255 any log
    > access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    > access-list 101 deny tcp any any range 1 chargen log
    > access-list 101 deny tcp any any eq whois log
    > access-list 101 deny tcp any any eq 93 log
    > access-list 101 deny tcp any any range 135 139 log
    > access-list 101 deny tcp any any eq 445 log
    > access-list 101 deny tcp any any range exec 518 log
    > access-list 101 deny tcp any any eq uucp log
    > access-list 101 permit ip any any
    > access-list 102 remark auto generated by SDM firewall configuration
    > access-list 102 remark SDM_ACL Category=1
    > access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
    > access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
    > access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
    > access-list 102 deny ip host 255.255.255.255 any log
    > access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    > access-list 102 permit ip any any
    > access-list 103 remark auto generated by SDM firewall configuration
    > access-list 103 remark SDM_ACL Category=1
    > access-list 103 deny ip 172.16.2.0 0.0.0.255 any
    > access-list 103 deny ip 10.0.0.0 0.0.15.255 any
    > access-list 103 deny ip 172.16.3.0 0.0.0.255 any
    > access-list 103 deny ip host 255.255.255.255 any
    > access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    > access-list 103 permit ip any any
    > access-list 104 remark auto generated by SDM firewall configuration
    > access-list 104 remark SDM_ACL Category=1
    > access-list 104 permit udp host 205.152.132.23 eq domain any
    > access-list 104 permit udp host 205.152.144.23 eq domain any
    > access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
    > access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
    > access-list 104 permit ahp any any
    > access-list 104 permit esp any any
    > access-list 104 permit udp any any eq isakmp
    > access-list 104 permit udp any any eq non500-isakmp
    > access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
    > access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    > access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
    > access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
    > access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
    > access-list 104 permit udp any eq bootps any eq bootpc
    > access-list 104 permit icmp any any echo-reply
    > access-list 104 permit icmp any any time-exceeded
    > access-list 104 permit icmp any any unreachable
    > access-list 104 deny icmp any any echo log
    > access-list 104 deny icmp any any mask-request log
    > access-list 104 deny icmp any any redirect log
    > access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
    > access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
    > access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
    > access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
    > access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
    > access-list 104 deny ip host 255.255.255.255 any log
    > access-list 104 deny tcp any any range 6000 6063 log
    > access-list 104 deny tcp any any eq 6667 log
    > access-list 104 deny tcp any any range 12345 12346 log
    > access-list 104 deny tcp any any eq 31337 log
    > access-list 104 deny udp any any eq 2049 log
    > access-list 104 deny udp any any eq 31337 log
    > access-list 104 deny udp any any range 33400 34400 log
    > access-list 104 deny ip any any log
    > access-list 105 remark auto generated by SDM firewall configuration
    > access-list 105 remark SDM_ACL Category=1
    > access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
    > access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq
    > ntp
    > access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
    > access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
    > access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
    > access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-
    > isakmp
    > access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
    > access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
    > access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
    > access-list 105 deny ip 172.16.2.0 0.0.0.255 any
    > access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    > access-list 105 deny ip 172.16.3.0 0.0.0.255 any
    > access-list 105 permit icmp any host 10.0.0.1 echo-reply
    > access-list 105 permit icmp any host 10.0.0.1 time-exceeded
    > access-list 105 permit icmp any host 10.0.0.1 unreachable
    > access-list 105 deny ip 10.0.0.0 0.255.255.255 any
    > access-list 105 deny ip 172.16.0.0 0.15.255.255 any
    > access-list 105 deny ip 192.168.0.0 0.0.255.255 any
    > access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    > access-list 105 deny ip host 255.255.255.255 any
    > access-list 105 deny ip host 0.0.0.0 any
    > access-list 105 deny ip any any log
    > access-list 115 permit ip 172.16.0.0 0.0.255.255 any
    > access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    > access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    > snmp-server community public RO
    > ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2
    > ipv6 route ::/0 Tunnel0
    > !
    > !
    > !
    > !
    > control-plane
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password 7
    > transport input ssh
    > line vty 5 903
    > transport input ssh
    > !
    > ntp clock-period 17180660
    > ntp server 129.6.15.29 source FastEthernet0/0 prefer
    > !
    > end
    Thrill5, Oct 27, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nazgulero
    Replies:
    0
    Views:
    640
    Nazgulero
    Jan 8, 2004
  2. Guest

    Cisco 3725 vs. 3745 router

    Guest, Jan 23, 2004, in forum: Cisco
    Replies:
    9
    Views:
    12,031
    Michael Janke
    Jan 26, 2004
  3. Vincent Aniello

    Cisco 3725 and BGP

    Vincent Aniello, Sep 27, 2004, in forum: Cisco
    Replies:
    0
    Views:
    832
    Vincent Aniello
    Sep 27, 2004
  4. Hmmmmmmm
    Replies:
    8
    Views:
    687
    Vincent Formosa
    Sep 28, 2004
  5. AcidX

    Computer not performing to its full potential...

    AcidX, Jan 24, 2006, in forum: Computer Information
    Replies:
    7
    Views:
    438
    AcidX
    Jan 26, 2006
Loading...

Share This Page