Poor FTP performance with 837

Discussion in 'Cisco' started by John Rennie, Oct 1, 2006.

  1. John Rennie

    John Rennie Guest

    I've found that using FTP to a server behind a Cisco 837 gives poor
    performance. The server is published using static NAT:

    ip nat inside source static 192.168.168.14 123.123.123.82

    with an ACL that includes:

    no access-list 111
    access-list 111 remark Incoming access from the Internet
    ...
    access-list 111 permit tcp any host 123.123.123.82 eq 21
    ...
    access-list 111 deny ip any any log

    I've attached the full config below.

    Using the WinXP command line FTP client to connect to the external address,
    123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
    downloads. But if I go through the LAN to LAN VPN and connect to the LAN
    address, 192.168.168.14, I get 75KB download and about 250KB upload, which
    matches the ADSLMax line speed of 3Mbps/800Kbps.

    My guess is that the VPN bypasses the firewall, and it's the firewall that is
    responsible for the poor performance. Is there a way round this? I know the
    837 is entry level in Cisco standards, but even a Draytek 2800 at half the
    price can do FTP at full speed. Incidentally I've tested this at two of our
    remote offices and I get the slow FTP problem at both, so it's not just a duff
    router. Also HTTP downloads from the same server through the same 837 runs at
    the expected 75KB/sec so the problem seems restricted to FTP, possibly because
    the FTP requires secondary connections so it's more work for the firewall?

    Anyhow, thanks for any help.

    John Rennie

    ----8<----

    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    logging buffered 4096
    enable secret <password>
    !
    username admin secret 5 <password>
    no aaa new-model
    ip subnet-zero
    !
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    !
    ! PPTP dialins
    ! ============
    !
    vpdn enable
    !
    vpdn-group pptp
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    exit
    exit
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    peer default ip address pool default
    ppp encrypt mppe auto
    ppp authentication ms-chap chap pap
    !
    ip local pool default 192.168.168.224 192.168.168.239
    !
    ! VPNs
    ! ====
    !
    crypto isakmp policy 1
    encryption des
    hash sha
    authentication pre-share
    group 1
    lifetime 28800
    !
    crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    !
    ! JR
    crypto map cm-cryptomap 1 ipsec-isakmp
    set peer 111.111.111.214
    set transform-set tr-des-sha
    match address 120
    crypto isakmp key <sharedsecret> address 111.111.111.214
    !
    no access-list 120
    access-list 120 remark Site to Site VPN to John
    access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 120 deny ip 192.168.168.0 0.0.0.255 any
    !
    ! Matt
    crypto map cm-cryptomap 2 ipsec-isakmp
    set peer 111.111.112.53
    set transform-set tr-des-sha
    match address 121
    crypto isakmp key <sharedsecret> address 111.111.112.53
    !
    no access-list 121
    access-list 121 remark Site to Site VPN to Matt
    access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 121 deny ip 192.168.168.0 0.0.0.255 any
    !
    ! Paul
    ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
    crypto map cm-cryptomap 3 ipsec-isakmp
    set peer 111.111.113.157
    set transform-set tr-des-md5
    match address 122
    crypto isakmp key <sharedsecret> address 111.111.113.157
    !
    no access-list 122
    access-list 122 remark Site to Site VPN to Paul
    access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    access-list 122 deny ip 192.168.255.0 0.0.0.255 any
    !
    ! Use a policy map to prevent NAT through the VPN by routing the VPN
    ! traffic through the loopback adapter
    !
    route-map nonat permit 10
    match ip address 129
    set ip next-hop 1.1.1.2
    !
    no access-list 129
    access-list 129 remark Route VPN traffic through the loopback adapter
    access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    !
    ! Interfaces
    ! ==========
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface Ethernet0
    ip address 192.168.168.254 255.255.255.0
    ip nat inside
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname <username>
    ppp chap password <password>
    ppp pap sent-username <username> password <password>
    crypto map cm-cryptomap
    no ip route-cache
    no ip mroute-cache
    hold-queue 224 in
    !
    ! NAT
    ! ===
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static 192.168.168.14 123.123.123.82
    ip nat inside source static 192.168.168.2 123.123.123.83
    ip nat inside source static 192.168.168.4 123.123.123.84
    !
    no access-list 102
    access-list 102 remark Addresses to NAT behind router
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
    access-list 102 permit ip 192.168.168.0 0.0.0.255 any
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.255.0 255.255.255.0 192.168.168.15
    ip http server
    no ip http secure-server
    !
    ! Access lists
    ! ============
    !
    no access-list 23
    access-list 23 remark Allowed to manage the router
    access-list 23 permit 192.168.168.0 0.0.0.127
    !
    no access-list 111
    access-list 111 remark Incoming access from the Internet
    ! ping
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    ! VPN
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit gre any any
    ! Allow VPN traffic
    access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    ! Hawthorn through ISA
    access-list 111 permit tcp any host 123.123.123.82 eq 21
    access-list 111 permit tcp any host 123.123.123.82 eq 25
    access-list 111 permit tcp any host 123.123.123.82 eq 80
    access-list 111 permit tcp any host 123.123.123.82 eq 443
    access-list 111 permit tcp any host 123.123.123.82 eq 53
    access-list 111 permit udp any host 123.123.123.82 eq 53
    access-list 111 permit tcp any host 123.123.123.82 eq 6666
    ! Redwood through ISA
    access-list 111 permit tcp any host 123.123.123.83 eq 80
    access-list 111 permit tcp any host 123.123.123.83 eq 110
    access-list 111 permit tcp any host 123.123.123.83 eq 143
    access-list 111 permit tcp any host 123.123.123.83 eq 443
    ! Conker direct
    access-list 111 permit tcp any host 123.123.123.84 eq 69
    access-list 111 permit udp any host 123.123.123.84 eq 69
    ! Allow incoming DNS
    access-list 111 permit udp any any eq 53
    ! Allow incoming NTP
    access-list 111 permit udp any any eq 123
    ! Deny the rest
    access-list 111 deny ip any any log
    !
    dialer-list 1 protocol ip permit
    !
    ! SNMP
    ! ====
    snmp-server community public ro
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end
    John Rennie, Oct 1, 2006
    #1
    1. Advertising

  2. John Rennie

    Dev Guest

    Put one more line in your access-list

    access-list 111 permit tcp any host 123.123.123.82 eq 20


    It might help you.

    ~/Dev



    John Rennie wrote:
    > I've found that using FTP to a server behind a Cisco 837 gives poor
    > performance. The server is published using static NAT:
    >
    > ip nat inside source static 192.168.168.14 123.123.123.82
    >
    > with an ACL that includes:
    >
    > no access-list 111
    > access-list 111 remark Incoming access from the Internet
    > ...
    > access-list 111 permit tcp any host 123.123.123.82 eq 21
    > ...
    > access-list 111 deny ip any any log
    >
    > I've attached the full config below.
    >
    > Using the WinXP command line FTP client to connect to the external address,
    > 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
    > downloads. But if I go through the LAN to LAN VPN and connect to the LAN
    > address, 192.168.168.14, I get 75KB download and about 250KB upload, which
    > matches the ADSLMax line speed of 3Mbps/800Kbps.
    >
    > My guess is that the VPN bypasses the firewall, and it's the firewall that is
    > responsible for the poor performance. Is there a way round this? I know the
    > 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
    > price can do FTP at full speed. Incidentally I've tested this at two of our
    > remote offices and I get the slow FTP problem at both, so it's not just a duff
    > router. Also HTTP downloads from the same server through the same 837 runs at
    > the expected 75KB/sec so the problem seems restricted to FTP, possibly because
    > the FTP requires secondary connections so it's more work for the firewall?
    >
    > Anyhow, thanks for any help.
    >
    > John Rennie
    >
    > ----8<----
    >
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname Router
    > !
    > logging buffered 4096
    > enable secret <password>
    > !
    > username admin secret 5 <password>
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > !
    > ! PPTP dialins
    > ! ============
    > !
    > vpdn enable
    > !
    > vpdn-group pptp
    > ! Default PPTP VPDN group
    > accept-dialin
    > protocol pptp
    > virtual-template 1
    > exit
    > exit
    > !
    > interface Virtual-Template1
    > ip unnumbered Ethernet0
    > peer default ip address pool default
    > ppp encrypt mppe auto
    > ppp authentication ms-chap chap pap
    > !
    > ip local pool default 192.168.168.224 192.168.168.239
    > !
    > ! VPNs
    > ! ====
    > !
    > crypto isakmp policy 1
    > encryption des
    > hash sha
    > authentication pre-share
    > group 1
    > lifetime 28800
    > !
    > crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    > crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    > crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    > crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    > !
    > ! JR
    > crypto map cm-cryptomap 1 ipsec-isakmp
    > set peer 111.111.111.214
    > set transform-set tr-des-sha
    > match address 120
    > crypto isakmp key <sharedsecret> address 111.111.111.214
    > !
    > no access-list 120
    > access-list 120 remark Site to Site VPN to John
    > access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 120 deny ip 192.168.168.0 0.0.0.255 any
    > !
    > ! Matt
    > crypto map cm-cryptomap 2 ipsec-isakmp
    > set peer 111.111.112.53
    > set transform-set tr-des-sha
    > match address 121
    > crypto isakmp key <sharedsecret> address 111.111.112.53
    > !
    > no access-list 121
    > access-list 121 remark Site to Site VPN to Matt
    > access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 121 deny ip 192.168.168.0 0.0.0.255 any
    > !
    > ! Paul
    > ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
    > crypto map cm-cryptomap 3 ipsec-isakmp
    > set peer 111.111.113.157
    > set transform-set tr-des-md5
    > match address 122
    > crypto isakmp key <sharedsecret> address 111.111.113.157
    > !
    > no access-list 122
    > access-list 122 remark Site to Site VPN to Paul
    > access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > access-list 122 deny ip 192.168.255.0 0.0.0.255 any
    > !
    > ! Use a policy map to prevent NAT through the VPN by routing the VPN
    > ! traffic through the loopback adapter
    > !
    > route-map nonat permit 10
    > match ip address 129
    > set ip next-hop 1.1.1.2
    > !
    > no access-list 129
    > access-list 129 remark Route VPN traffic through the loopback adapter
    > access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > !
    > ! Interfaces
    > ! ==========
    > !
    > interface Loopback0
    > ip address 1.1.1.1 255.255.255.0
    > !
    > interface Ethernet0
    > ip address 192.168.168.254 255.255.255.0
    > ip nat inside
    > ip route-cache policy
    > ip policy route-map nonat
    > no ip mroute-cache
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no ip mroute-cache
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap pap callin
    > ppp chap hostname <username>
    > ppp chap password <password>
    > ppp pap sent-username <username> password <password>
    > crypto map cm-cryptomap
    > no ip route-cache
    > no ip mroute-cache
    > hold-queue 224 in
    > !
    > ! NAT
    > ! ===
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static 192.168.168.14 123.123.123.82
    > ip nat inside source static 192.168.168.2 123.123.123.83
    > ip nat inside source static 192.168.168.4 123.123.123.84
    > !
    > no access-list 102
    > access-list 102 remark Addresses to NAT behind router
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
    > access-list 102 permit ip 192.168.168.0 0.0.0.255 any
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip route 192.168.255.0 255.255.255.0 192.168.168.15
    > ip http server
    > no ip http secure-server
    > !
    > ! Access lists
    > ! ============
    > !
    > no access-list 23
    > access-list 23 remark Allowed to manage the router
    > access-list 23 permit 192.168.168.0 0.0.0.127
    > !
    > no access-list 111
    > access-list 111 remark Incoming access from the Internet
    > ! ping
    > access-list 111 permit icmp any any administratively-prohibited
    > access-list 111 permit icmp any any echo
    > access-list 111 permit icmp any any echo-reply
    > access-list 111 permit icmp any any packet-too-big
    > access-list 111 permit icmp any any time-exceeded
    > access-list 111 permit icmp any any traceroute
    > access-list 111 permit icmp any any unreachable
    > ! VPN
    > access-list 111 permit esp any any
    > access-list 111 permit udp any any eq isakmp
    > access-list 111 permit tcp any any eq 1723
    > access-list 111 permit gre any any
    > ! Allow VPN traffic
    > access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > ! Hawthorn through ISA
    > access-list 111 permit tcp any host 123.123.123.82 eq 21
    > access-list 111 permit tcp any host 123.123.123.82 eq 25
    > access-list 111 permit tcp any host 123.123.123.82 eq 80
    > access-list 111 permit tcp any host 123.123.123.82 eq 443
    > access-list 111 permit tcp any host 123.123.123.82 eq 53
    > access-list 111 permit udp any host 123.123.123.82 eq 53
    > access-list 111 permit tcp any host 123.123.123.82 eq 6666
    > ! Redwood through ISA
    > access-list 111 permit tcp any host 123.123.123.83 eq 80
    > access-list 111 permit tcp any host 123.123.123.83 eq 110
    > access-list 111 permit tcp any host 123.123.123.83 eq 143
    > access-list 111 permit tcp any host 123.123.123.83 eq 443
    > ! Conker direct
    > access-list 111 permit tcp any host 123.123.123.84 eq 69
    > access-list 111 permit udp any host 123.123.123.84 eq 69
    > ! Allow incoming DNS
    > access-list 111 permit udp any any eq 53
    > ! Allow incoming NTP
    > access-list 111 permit udp any any eq 123
    > ! Deny the rest
    > access-list 111 deny ip any any log
    > !
    > dialer-list 1 protocol ip permit
    > !
    > ! SNMP
    > ! ====
    > snmp-server community public ro
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > !
    > end
    Dev, Oct 2, 2006
    #2
    1. Advertising

  3. John Rennie

    John Rennie Guest

    Thanks Dev.

    Some minor and apparently unrelated changes and one reload later and the
    problem seems to have disappeared. I now wait and see if it recurs I suppose!

    JR


    On 2 Oct 2006 01:00:49 -0700, "Dev" <> wrote:

    >Put one more line in your access-list
    >
    >access-list 111 permit tcp any host 123.123.123.82 eq 20
    >
    >
    >It might help you.
    >
    >~/Dev
    >
    >
    >
    >John Rennie wrote:
    >> I've found that using FTP to a server behind a Cisco 837 gives poor
    >> performance. The server is published using static NAT:
    >>
    >> ip nat inside source static 192.168.168.14 123.123.123.82
    >>
    >> with an ACL that includes:
    >>
    >> no access-list 111
    >> access-list 111 remark Incoming access from the Internet
    >> ...
    >> access-list 111 permit tcp any host 123.123.123.82 eq 21
    >> ...
    >> access-list 111 deny ip any any log
    >>
    >> I've attached the full config below.
    >>
    >> Using the WinXP command line FTP client to connect to the external address,
    >> 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
    >> downloads. But if I go through the LAN to LAN VPN and connect to the LAN
    >> address, 192.168.168.14, I get 75KB download and about 250KB upload, which
    >> matches the ADSLMax line speed of 3Mbps/800Kbps.
    >>
    >> My guess is that the VPN bypasses the firewall, and it's the firewall that is
    >> responsible for the poor performance. Is there a way round this? I know the
    >> 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
    >> price can do FTP at full speed. Incidentally I've tested this at two of our
    >> remote offices and I get the slow FTP problem at both, so it's not just a duff
    >> router. Also HTTP downloads from the same server through the same 837 runs at
    >> the expected 75KB/sec so the problem seems restricted to FTP, possibly because
    >> the FTP requires secondary connections so it's more work for the firewall?
    >>
    >> Anyhow, thanks for any help.
    >>
    >> John Rennie
    >>
    >> ----8<----
    >>
    >> no service pad
    >> service timestamps debug uptime
    >> service timestamps log uptime
    >> service password-encryption
    >> !
    >> hostname Router
    >> !
    >> logging buffered 4096
    >> enable secret <password>
    >> !
    >> username admin secret 5 <password>
    >> no aaa new-model
    >> ip subnet-zero
    >> !
    >> !
    >> ip inspect name myfw cuseeme timeout 3600
    >> ip inspect name myfw ftp timeout 3600
    >> ip inspect name myfw rcmd timeout 3600
    >> ip inspect name myfw realaudio timeout 3600
    >> ip inspect name myfw tftp timeout 30
    >> ip inspect name myfw udp timeout 15
    >> ip inspect name myfw tcp timeout 3600
    >> ip inspect name myfw h323 timeout 3600
    >> !
    >> ! PPTP dialins
    >> ! ============
    >> !
    >> vpdn enable
    >> !
    >> vpdn-group pptp
    >> ! Default PPTP VPDN group
    >> accept-dialin
    >> protocol pptp
    John Rennie, Oct 2, 2006
    #3
  4. John Rennie

    Guest

    John Rennie wrote:
    > Thanks Dev.
    >
    > Some minor and apparently unrelated changes and one reload later and the
    > problem seems to have disappeared. I now wait and see if it recurs I suppose!
    >
    > JR
    >
    >
    > On 2 Oct 2006 01:00:49 -0700, "Dev" <> wrote:
    >
    > >Put one more line in your access-list
    > >
    > >access-list 111 permit tcp any host 123.123.123.82 eq 20
    > >
    > >
    > >It might help you.
    > >
    > >~/Dev
    > >
    > >
    > >
    > >John Rennie wrote:
    > >> I've found that using FTP to a server behind a Cisco 837 gives poor
    > >> performance. The server is published using static NAT:
    > >>
    > >> ip nat inside source static 192.168.168.14 123.123.123.82
    > >>
    > >> with an ACL that includes:
    > >>
    > >> no access-list 111
    > >> access-list 111 remark Incoming access from the Internet
    > >> ...
    > >> access-list 111 permit tcp any host 123.123.123.82 eq 21
    > >> ...
    > >> access-list 111 deny ip any any log
    > >>
    > >> I've attached the full config below.
    > >>
    > >> Using the WinXP command line FTP client to connect to the external address,
    > >> 123.123.123.82, I only get 16-18KB/sec transfers on both uploads and
    > >> downloads. But if I go through the LAN to LAN VPN and connect to the LAN
    > >> address, 192.168.168.14, I get 75KB download and about 250KB upload, which
    > >> matches the ADSLMax line speed of 3Mbps/800Kbps.
    > >>
    > >> My guess is that the VPN bypasses the firewall, and it's the firewall that is
    > >> responsible for the poor performance. Is there a way round this? I know the
    > >> 837 is entry level in Cisco standards, but even a Draytek 2800 at half the
    > >> price can do FTP at full speed. Incidentally I've tested this at two of our
    > >> remote offices and I get the slow FTP problem at both, so it's not just a duff
    > >> router. Also HTTP downloads from the same server through the same 837 runs at
    > >> the expected 75KB/sec so the problem seems restricted to FTP, possibly because
    > >> the FTP requires secondary connections so it's more work for the firewall?
    > >>
    > >> Anyhow, thanks for any help.
    > >>
    > >> John Rennie
    > >>
    > >> ----8<----
    > >>
    > >> no service pad
    > >> service timestamps debug uptime
    > >> service timestamps log uptime
    > >> service password-encryption
    > >> !
    > >> hostname Router
    > >> !
    > >> logging buffered 4096
    > >> enable secret <password>
    > >> !
    > >> username admin secret 5 <password>
    > >> no aaa new-model
    > >> ip subnet-zero
    > >> !
    > >> !
    > >> ip inspect name myfw cuseeme timeout 3600
    > >> ip inspect name myfw ftp timeout 3600
    > >> ip inspect name myfw rcmd timeout 3600
    > >> ip inspect name myfw realaudio timeout 3600
    > >> ip inspect name myfw tftp timeout 30
    > >> ip inspect name myfw udp timeout 15
    > >> ip inspect name myfw tcp timeout 3600
    > >> ip inspect name myfw h323 timeout 3600
    > >> !
    > >> ! PPTP dialins
    > >> ! ============
    > >> !
    > >> vpdn enable
    > >> !
    > >> vpdn-group pptp
    > >> ! Default PPTP VPDN group
    > >> accept-dialin
    > >> protocol pptp



    > >Put one more line in your access-list
    > >
    > >access-list 111 permit tcp any host 123.123.123.82 eq 20

    this is not necessary with
    > >> ip inspect name myfw ftp timeout 3600


    As the inspect system notices the port that ftp
    resuests for it's data transfer.

    Or at least it should.

    You can check what inspect thinks is happening with
    sh ip ins sess

    you should see the ftp control and data sessions there.

    I have seen a problem with 837 not handling more than
    1 packet as the first data transfer of a new TCP session.
    This prevented for example successful use of Hotmail. when
    you logged in to hotmail a new session got opened and say
    2k of data was sent. The second packet was dropped, I gusee since the
    inspect system was still getting going.

    Turning off fast switching fixed or upgrading the software fixed it.

    I would also make sure that I was not getting buffer failures.

    sh buff
    , Oct 2, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jerry Bacon

    Poor outgoing performance

    Jerry Bacon, Feb 22, 2004, in forum: Cisco
    Replies:
    3
    Views:
    488
    Craig Johnson
    Feb 24, 2004
  2. hari
    Replies:
    2
    Views:
    639
    Dan Daniels
    Mar 28, 2005
  3. =?Utf-8?B?dW51c3VhbHBzeWNobw==?=

    Poor reception, poor connection, and dropped signal

    =?Utf-8?B?dW51c3VhbHBzeWNobw==?=, Jun 7, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    3,775
    Doug Sherman [MVP]
    Jun 7, 2006
  4. Rich

    Poor, poor P&S owner learns too late...

    Rich, May 13, 2009, in forum: Digital Photography
    Replies:
    66
    Views:
    1,830
    Bob Larter
    Jun 11, 2009
  5. tom
    Replies:
    3
    Views:
    1,052
    Doug McIntyre
    May 20, 2009
Loading...

Share This Page