Hi fabios,

I am not sure what the mtu and tcp-mss are - they will probably be default - I will try to find out.

The interface that is facing the internet is the fastethernet0

So should that interface have the firewall ip inspect on it

and the lan interface have the access-group INTERNET-IN on it ?

I don't know what IPS/IDS is ?

Iceman,

if Fastethernet0 is facing the Internet, what is your LAN interface?

First rule in configuring a router is IP baselining: ie have a working IP only config.

IPS/IDS is intrusion detection or prevention system which is Cisco signature based firewalling.

In your config:

ip access-group INTERNET-IN in

ip inspect FIREWALL out

filtering features that, based on how you configured the IPS?IDS and the access-list can create all sort of problems.

Try baselining an IP config and then add those features.

Back to TCP-MSS is tcp maximum segment size and MTU is IP Maximum Transpor unit are dependent upon layer 2 connectivity and if misconfigured can break down TCP connectivity altogheter or slow it down very much.

Fabio

H Fabios,

that actually helped a lot.

I found that if I remove the ip access-group INTERNET-IN in from the fastethernet0 interface then the pages load a lot faster.

I still get a speed test of 9.5 meg down but the internet pages load at a resonable speed.

I have posted my config below, if you could be so kind as to have a quick look over it and see if you can see anything out of place or incorrect it would be appreciated.

Update: my router is a 1721 and it has a 4 port switch installed into the slot in the back.

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname PhilsCisco

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

!

aaa new-model

!

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

!

aaa session-id common

no ip source-route

ip cef

!

ip inspect name FIREWALL icmp

ip inspect name FIREWALL ftp

ip inspect name FIREWALL http java-list 99

ip inspect name FIREWALL https

ip inspect name FIREWALL tftp

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL pptp

ip inspect name FIREWALL sip

ip inspect name FIREWALL sip-tls

!

username admin privilege 15 secret xxx

!

ip ssh rsa keypair-name SSH-KEYS

ip ssh logging events

ip ssh version 2

!

crypto pki trustpoint TP-self-signed-1736130990

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1736130990

revocation-check none

rsakeypair TP-self-signed-1736130990

!

crypto pki certificate chain TP-self-signed-1736130990

certificate self-signed 01 nvram:IOS-Self-Sig#3030.cer

file verify auto

!

archive

log config

  hidekeys

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxx address xxx

!

crypto ipsec transform-set to-bob-vpn esp-3des esp-md5-hmac

!

crypto map to-bob-vpn 10 ipsec-isakmp

set peer xxx

set transform-set to-bob-vpn

set pfs group2

match address vpn-bob

!

interface FastEthernet0

ip address xxx xxx

ip access-group INTERNET-IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect FIREWALL out

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

crypto map to-bob-vpn

no shutdown

exit

!

interface FastEthernet1

no shutdown

exit

!

interface FastEthernet2

no shutdown

exit

!

interface FastEthernet3

no shutdown

exit

!

interface FastEthernet4

no shutdown

exit

!

interface Vlan1

ip address 192.168.20.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip directed-broadcast

no shutdown

exit

!

ip route 0.0.0.0 0.0.0.0 xxx

!

ip http server

ip http secure-server

ip nat inside source list GENERAL_PAT interface FastEthernet0 overload

!

ip access-list extended GENERAL_PAT

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip 192.168.20.0 0.0.0.255 192.168.56.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

!

ip access-list extended INTERNET-IN

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 198.18.0.0 0.1.255.255 any

deny   ip 224.0.0.0 0.15.255.255 any

deny   ip any host 255.255.255.255

permit gre any any

permit udp any any eq isakmp

permit esp any any

permit tcp any any eq 47773

permit tcp any any eq 47774

permit tcp any any eq 51500

permit tcp any any eq 51501

permit tcp any any eq 51502

deny   ip any any

!

ip access-list extended SECURE-VTY

remark Permit devices ssh/telnet access to router

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any log

remark Permit devices ssh/telnet access to router

!

ip access-list extended vpn-bob

remark Allow access though tunnel to bob's LAN

permit ip 192.168.20.0 0.0.0.255 192.168.56.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 any

!

control-plane

!

line con 0

exec-timeout 120 0

logging synchronous

line aux 0

line vty 0 4

location Router VTY ports - Locked down to ACL SECURE-VTY

access-class SECURE-VTY in

logging synchronous

transport preferred none

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17179870

ntp server 203.109.252.5

ntp server 203.109.252.7

ntp server 203.109.252.32

end

Thanks again Fabios,

I connect to the internet via a cable modem supplied by the ISP.

It is about a 15 meg connection.

As you say I run a perminant VPN connection with another site.

I think you are right and I am just asking to much from an old router.

I will look at getting something a bit more powerful that can keep up with my requirements.

Do you have any suggestions on what would be a good router.

So I need something that has 2 fast ethernet ports, can do the Cisco vpn tunnel and basically keep up.

this is just for my home network but I need something that will be fast enough and reliable.

Iceman,

Cisco rolled out the new ISRG2 family (1900 2900 3900).

I believe what could be a good router for what it seems you are doing is a 1921 (2 GigabitEthernet 2 HWIC slots) very fast and VPN encryption on board.

You need a SEC license and the router with the security licensa bundle can be found new for between $1000 and $1400 (you can shop around a bit and maybe you can find it cheaper).

Things to keep in mind with ISRG2:

WIC interfaces are no good (you need the newer HWIC)

Licensing is strict: router has a single image and features are unlocked by loading a crypto key

SMART Net contracts are way way cheaper (1 year on the 1751 was $170 on the 1921 is $70)

I am very happy with mine but I run into 3 different bug (NAT/SIP IPS and a critical failure on clearing VPN). TAC has been great in providing a quick fix (custom image) and using my issues to incorporate the improvements in the main releases. So as always, I recommand a service contract for all hardware: It's money well spent and worthy.

Be careful though the 1921 is the entry model and has some limitation in the backplane so the type and number of fast HVIC might be limited (you cannot cascade 2 4 port Gigabit HWIC switches and few others).

Cheers

Fabio