09-01-2011 02:58 AM - edited 03-04-2019 01:28 PM
Hi all,
I have just got a cisco 1720 router and set it up for my internet connection.
I have a cable modem and when running on any previous cheap firewall I could pull about 15 meg download.
Now I can only pull about 9.3 meg download.
But saying that does not really explain it well as there is a serious lag when I go to a page even like google.
Something else that may help, when I go to my android phone and download updates, it downloads them one at a time - before putting in this
router the updates would come in all at once - not one at a time.
The cisco has an addin 4 port switch which connects to my network.
I am connecting the cable modem to the built in fastethernet 0 interface.
I am not that good with Cisco so I may be doing something completely wrong but don't know where to look.
Here is the interface commands I have used on the external FastEthernet0 interface,
If anyone can provide any insite as to why it is slow, your help would be appreciated.
interface FastEthernet0
ip address x.x.x.x x.x.x.x
ip access-group INTERNET-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
Oh by the way I have set the duplex and speed settings to auto but seems to make no difference.
Solved! Go to Solution.
09-01-2011 03:26 AM
Hi there,
how much is MTU and tcp-mss?
Which one is the i terface facing the Internet? You have an ip access-group INTERNET-IN in on FasteEthernet0 and then a firewall IP Inspect FIREWALL out on the same interface it seems not correct.
Remoce IPS/IDS config and give it a try.
Cheers
Fabio
09-01-2011 10:21 PM
Hello Iceman,
The way you connect to the Internet is relevant in this discussion because an additional layer of encapsulation might bring MTU down and cuse problems or fragmentation in the further device that conects your outside ethernet to the Internet. How do you connect ? Home Fiber, Cable, Metro Ethernet?
ip access-group INTERNET-IN in
ip inspect FIREWALL out
Also the way you appliced ip inspect is inconsistent. Are you trying to verify outgouing traffic (like you did here) or incoming?
Keep in mind that the 1721 is an over 10-year-old low end hardware. At those speed with VPN enabled, paket filtering, NAT/PAT enabled and SSH encryption you might be asking too much especially if you use non CEF paket switching.
I just replaced a 1751 with a 1921 because my VPN provider went from 3des which can be accelerated in the VPN hardware encryption module to AES256 which had to be encrypted in CPU and I am only running a 7Mbit DSL.
The way to figure out if you are overloading the processor try
show proc cpu hist
To verify CEF operations issue
show ip cef switching statistics
and read about it
http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_s1.html#wp1122907
Cheers
Fabio
*please rate useful posts
09-01-2011 03:26 AM
Hi there,
how much is MTU and tcp-mss?
Which one is the i terface facing the Internet? You have an ip access-group INTERNET-IN in on FasteEthernet0 and then a firewall IP Inspect FIREWALL out on the same interface it seems not correct.
Remoce IPS/IDS config and give it a try.
Cheers
Fabio
09-01-2011 05:31 AM
Hi fabios,
I am not sure what the mtu and tcp-mss are - they will probably be default - I will try to find out.
The interface that is facing the internet is the fastethernet0
So should that interface have the firewall ip inspect on it
and the lan interface have the access-group INTERNET-IN on it ?
I don't know what IPS/IDS is ?
09-01-2011 07:14 AM
Iceman,
if Fastethernet0 is facing the Internet, what is your LAN interface?
First rule in configuring a router is IP baselining: ie have a working IP only config.
IPS/IDS is intrusion detection or prevention system which is Cisco signature based firewalling.
In your config:
ip access-group INTERNET-IN in
ip inspect FIREWALL out
filtering features that, based on how you configured the IPS?IDS and the access-list can create all sort of problems.
Try baselining an IP config and then add those features.
Back to TCP-MSS is tcp maximum segment size and MTU is IP Maximum Transpor unit are dependent upon layer 2 connectivity and if misconfigured can break down TCP connectivity altogheter or slow it down very much.
Fabio
09-01-2011 05:50 PM
H Fabios,
that actually helped a lot.
I found that if I remove the ip access-group INTERNET-IN in from the fastethernet0 interface then the pages load a lot faster.
I still get a speed test of 9.5 meg down but the internet pages load at a resonable speed.
I have posted my config below, if you could be so kind as to have a quick look over it and see if you can see anything out of place or incorrect it would be appreciated.
Update: my router is a 1721 and it has a 4 port switch installed into the slot in the back.
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname PhilsCisco
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
no ip source-route
ip cef
!
ip inspect name FIREWALL icmp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL http java-list 99
ip inspect name FIREWALL https
ip inspect name FIREWALL tftp
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL pptp
ip inspect name FIREWALL sip
ip inspect name FIREWALL sip-tls
!
username admin privilege 15 secret xxx
!
ip ssh rsa keypair-name SSH-KEYS
ip ssh logging events
ip ssh version 2
!
crypto pki trustpoint TP-self-signed-1736130990
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1736130990
revocation-check none
rsakeypair TP-self-signed-1736130990
!
crypto pki certificate chain TP-self-signed-1736130990
certificate self-signed 01 nvram:IOS-Self-Sig#3030.cer
file verify auto
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address xxx
!
crypto ipsec transform-set to-bob-vpn esp-3des esp-md5-hmac
!
crypto map to-bob-vpn 10 ipsec-isakmp
set peer xxx
set transform-set to-bob-vpn
set pfs group2
match address vpn-bob
!
interface FastEthernet0
ip address xxx xxx
ip access-group INTERNET-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map to-bob-vpn
no shutdown
exit
!
interface FastEthernet1
no shutdown
exit
!
interface FastEthernet2
no shutdown
exit
!
interface FastEthernet3
no shutdown
exit
!
interface FastEthernet4
no shutdown
exit
!
interface Vlan1
ip address 192.168.20.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip directed-broadcast
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 xxx
!
ip http server
ip http secure-server
ip nat inside source list GENERAL_PAT interface FastEthernet0 overload
!
ip access-list extended GENERAL_PAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip 192.168.20.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
!
ip access-list extended INTERNET-IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 224.0.0.0 0.15.255.255 any
deny ip any host 255.255.255.255
permit gre any any
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 47773
permit tcp any any eq 47774
permit tcp any any eq 51500
permit tcp any any eq 51501
permit tcp any any eq 51502
deny ip any any
!
ip access-list extended SECURE-VTY
remark Permit devices ssh/telnet access to router
permit ip 192.168.20.0 0.0.0.255 any
deny ip any any log
remark Permit devices ssh/telnet access to router
!
ip access-list extended vpn-bob
remark Allow access though tunnel to bob's LAN
permit ip 192.168.20.0 0.0.0.255 192.168.56.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 120 0
logging synchronous
line aux 0
line vty 0 4
location Router VTY ports - Locked down to ACL SECURE-VTY
access-class SECURE-VTY in
logging synchronous
transport preferred none
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179870
ntp server 203.109.252.5
ntp server 203.109.252.7
ntp server 203.109.252.32
end
09-01-2011 10:21 PM
Hello Iceman,
The way you connect to the Internet is relevant in this discussion because an additional layer of encapsulation might bring MTU down and cuse problems or fragmentation in the further device that conects your outside ethernet to the Internet. How do you connect ? Home Fiber, Cable, Metro Ethernet?
ip access-group INTERNET-IN in
ip inspect FIREWALL out
Also the way you appliced ip inspect is inconsistent. Are you trying to verify outgouing traffic (like you did here) or incoming?
Keep in mind that the 1721 is an over 10-year-old low end hardware. At those speed with VPN enabled, paket filtering, NAT/PAT enabled and SSH encryption you might be asking too much especially if you use non CEF paket switching.
I just replaced a 1751 with a 1921 because my VPN provider went from 3des which can be accelerated in the VPN hardware encryption module to AES256 which had to be encrypted in CPU and I am only running a 7Mbit DSL.
The way to figure out if you are overloading the processor try
show proc cpu hist
To verify CEF operations issue
show ip cef switching statistics
and read about it
http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_s1.html#wp1122907
Cheers
Fabio
*please rate useful posts
09-03-2011 01:54 PM
Thanks again Fabios,
I connect to the internet via a cable modem supplied by the ISP.
It is about a 15 meg connection.
As you say I run a perminant VPN connection with another site.
I think you are right and I am just asking to much from an old router.
I will look at getting something a bit more powerful that can keep up with my requirements.
Do you have any suggestions on what would be a good router.
So I need something that has 2 fast ethernet ports, can do the Cisco vpn tunnel and basically keep up.
this is just for my home network but I need something that will be fast enough and reliable.
09-03-2011 02:54 PM
Iceman,
Cisco rolled out the new ISRG2 family (1900 2900 3900).
I believe what could be a good router for what it seems you are doing is a 1921 (2 GigabitEthernet 2 HWIC slots) very fast and VPN encryption on board.
You need a SEC license and the router with the security licensa bundle can be found new for between $1000 and $1400 (you can shop around a bit and maybe you can find it cheaper).
Things to keep in mind with ISRG2:
WIC interfaces are no good (you need the newer HWIC)
Licensing is strict: router has a single image and features are unlocked by loading a crypto key
SMART Net contracts are way way cheaper (1 year on the 1751 was $170 on the 1921 is $70)
I am very happy with mine but I run into 3 different bug (NAT/SIP IPS and a critical failure on clearing VPN). TAC has been great in providing a quick fix (custom image) and using my issues to incorporate the improvements in the main releases. So as always, I recommand a service contract for all hardware: It's money well spent and worthy.
Be careful though the 1921 is the entry model and has some limitation in the backplane so the type and number of fast HVIC might be limited (you cannot cascade 2 4 port Gigabit HWIC switches and few others).
Cheers
Fabio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide