Hi,

If you configure IDS/VPN/FW on the router at the same, you are defintely increasing the workload, so slow performance is expected. Now the question is how much slow? what is the cpu load now? where exactly you feel the slowness? please brief on what is the issue you have with port forwarding.

IOS FW is not a separate product, but a special IOS image with FW features set.

Thanks

Nadeem

Nadeem,

The current load averages are all under 5%. I have been using an old PII machine running Windows 2000 and Microsoft ISA Server 2004 as a firewall until this point. Now this router fell into my lap and I was hoping to make a more robust and secure firewall of it. I'm not to hung up on the ICS idea but I would like a stateful inspection FW and VPN. The VPN will be rarely used so I'm not to worried aboout the workload.

Now the performance issues: When I unplug the ISA machine and plug the router in (using the same cables), then try to ping external websites from client machines, about 1/3 of the pings time out. When I download files from my own website through the router, it takes twice as long as it does when downloading via the ISA box. I've tried all possible port speed and duplex settings - it didn't make any difference. Everything gets back to normal once I unplug the router and plug the ISA system back in. Perhaps my configuration is screwy (did you get a chance to review the attachment?) or the router could be defective[?]

You config seems fine, but you can try these suggestions, if it doesnt work, open up a case with TAC for detailed analysis

you can try to disable ip inspect statements, try to use only these

ip inspect tcp

ip inspect udp

ip inspect ftp

you can look into interface errors by typing "show itnerface"

you have two default gateways in your config, why?

You have set the logging trap level to "debug" , this will generate too many log messages. you can try to lower the trap level , say for example to "error" the command will be "logging trap error"

or you can disable the logging for the testing purposes.

thanks

Nadeem

Thanks again, Nadeem.

I've tried it with and without logging. There was no difference in performance. I even ran a line speed test at http://nyc.speakeasy.net. With ISA, my line speed was around 768kbps down/640kbps up. When I tested with the cisco, it was 400kbps down and 640kbps up - really strange since the upload rate was the same in both cases and only the download was affected. I'must have put the second default route in by accident - I'll remove it and give it a shot though it probaby won't make a difference. I'll try the "ip inspect" suggestions.

The last thing that I need your help with is configuring the VPN. I want to be able to use the Cisco VPN client to access the 192.168.199.0/24 network from the Internet.

Thank you!

Hi,

My appology, but this session is for IDS/IPS, not for VPN configuration. You can post the VPN question on VPN forum

thanks

Nadeem

I did post a question but I'm not getting any replies. Is there a better way?

You will get a reply, i have seen in this forum that most (almost all) questions gets replied. If you would like to expedite the issue, could you open up a TAC case.

btw what is the issue, jsut post here as well, may be I am able to answer if time permits.

thanks

Nadeem

I would like to configure it so the 192.168.199/24 network can be accessed remotely using Cisco VPN client - basically make it a VPN server.

Thanks!

I have an IDS 4235 that runs CIDS 3.0(5). I do not have the password to the IDS and the IDS is presently not connected to the network.

I'm trying to reimage the IDS appliance with the original recovery CD; everything works fine in the reimaging process but I get stuck here:

SunOS Secondary Boot Version 3.0

Booting Cisco Intrusion Detection System...

At this point it stays here and cannot continue.

I need any help I can. I have tried using a windows box to complete the process, also a Linux box with no success.

What do you mean by using winodws box to complete teh process?

How are you accessing the 4235.

Have you tried to use keyborad/monitor directly to the 4235.

This Could be that you are not seeing the screen output.

thanks

Nadeem

Hi Nadeem:

By 'using a windows box' I mean that I try to boot the IDS by inserting the upgrade/recovery CD in a machine running windows and initiating the reimaging process by booting the windows machine runnning the IDS recovery CD.

I access the 4235 by attaching a monitor and keyboard directly to the IDS.

Thank you.

when you start installation , press "k" , see if it starts sending output to the monitor directly connected.

so you are trying to install IDS 3.x?

you can try to connect a console to the IDS 4235 then start installation