Showing results for 
Search instead for 
Did you mean: 

8x7 Config improvements

Hi Again,

After some very consructive comments by Paolo I was wondering if anyone would like to share any  comments on how to improve the performance of my routers.  Below is a typical config I use for 857 and 877 routers i deploy.  I realise it isn't even close to perfect.  But, me being a creature of habit, I have never got around to figuring out why some of the config is slowing the router down so much.  So...

  • I wish to improve overall router performance
  • I wish to maintain a reasonable level of protect from the outside world
  • I haven't yet learned how to get rid of the ip inspection.  When I just remove the ip inspect name lines and the ip inspect Inspect_Out out from the di0 int it stops all traffic flow.  even after a reload.  why is that?
  • Paolo mentioned getting rid of the class map.  Presumably he means the Internet_Inbound ACL.  How do i protect the router from the internet if I ditch that?
  • He also mentioned getting rid of the firewall.  Is this just the Inspection firewall or do i have something else in place I am not even aware of
  • I have also never figured out how to publish an ftp server through the NAT.  Just putting an "permit tcp any any eq 21" in the inbound ACL and "ip nat source static tcp 192.168.x.x 21 interface dialer0 21" doesn't work.  I allows the connection but no data flow.  So again.  i don't know what I am doing wrong.

I greatly appreciate all comments and help.

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

no service dhcp


hostname Users857w





logging count

logging userinfo

logging buffered 52000


aaa new-model



aaa authentication login default local

aaa authorization exec default local



aaa session-id common

clock timezone ESTime 10

clock save interval 8


crypto pki trustpoint TP-self-signed-1114035



crypto pki certificate chain TP-self-signed-1114035



dot11 syslog


dot11 ssid XXXXgoona

   authentication open

   authentication key-management wpa


   wpa-psk ascii 7 xxxx


no ip source-route



ip cef

ip inspect name Inspect_Out dns

ip inspect name Inspect_Out ftp

ip inspect name Inspect_Out pptp

ip inspect name Inspect_Out https

ip inspect name Inspect_Out imap

ip inspect name Inspect_Out pop3

ip inspect name Inspect_Out rcmd

ip inspect name Inspect_Out realaudio

ip inspect name Inspect_Out esmtp

ip inspect name Inspect_Out tftp

ip inspect name Inspect_Out tcp router-traffic

ip inspect name Inspect_Out udp router-traffic

ip inspect name Inspect_Out icmp router-traffic

no ip bootp server

ip domain name XXXXgoona.local

ip name-server

ip name-server

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class Allow_Quiet_Mode

login on-failure log

login on-success log


username theuser privilege 15 secret 5 $1$cd4O$lA8



log config



ip ssh version 2


bridge irb


interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1


dsl operating-mode auto


interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3


interface Dot11Radio0

no ip address


encryption mode ciphers tkip


ssid XXXXgoona


speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding


interface Vlan1

description Ramtech LAN Interface

no ip address

bridge-group 1

bridge-group 1 spanning-disabled


interface Dialer0

description Ramtech Westnet

ip address negotiated

ip access-group Internet_Inbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect Inspect_Out out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7 xxxx


interface BVI1

ip address

ip nat inside

ip virtual-reassembly


ip forward-protocol nd

ip route Dialer0


ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat source static tcp 192.168.x.x 25 interface Dialer0 25

ip nat source static tcp 192.168.x.x 443 interface Dialer0 443

ip nat source static tcp 192.168.x.x 987 interface Dialer0 987

ip nat source static tcp 192.168.x.x 3389 interface Dialer0 3389

ip nat inside source list Allow_NAT interface Dialer0 overload


ip access-list standard Allow_LAN_Access


ip access-list standard Allow_NAT


ip access-list standard Allow_Quiet_Mode

remark IPs allowed during quietmode lockdown



ip access-list extended Internet_Inbound

remark --- Anyone is allowed SMTP to the server

permit tcp any host 110.142.x.x eq smtp

permit tcp any host 110.142.x.x eq 443 log

permit tcp any host 110.142.x.x eq 987 log

permit tcp any host 110.142.x.x eq 1723 log

permit gre any any log

permit tcp host 202.173.x.x host 110.142.x.x eq 22 log

permit tcp host 202.173.x.x host 110.142.x.x eq 3389


logging trap debugging

dialer-list 1 protocol ip permit

no cdp run




bridge 1 route ip

alias exec tl0 terminal length 0

alias exec ps show process cpu

alias exec top show process cpu sort 5m | excl (0.00%  0.00%  0.00%)

alias exec version show version | include image

alias exec uptime show version | include uptime|ROM[^:]|restarted

alias exec hist show process cpu history

alias exec dsl show dsl interface atm0 | include DSL[^:]|dB|Activat|LED|Speed


line con 0

no modem enable

transport preferred none

transport output all

line aux 0

transport output all

line vty 0 2

exec-timeout 20 0

privilege level 15

transport preferred none

transport input telnet

line vty 3 4

exec-timeout 20 0

privilege level 15

transport preferred none

transport input ssh

transport output all


scheduler max-task-time 5000

sntp server 202.173.x.x

sntp server 128.250.x.x

sntp server 202.72.x.x


Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

Remove inspection.

Thanks for the reply,

As per original post, when I do that, all NAT traffic stops.  what else do i need to do?

Do i have to change the below line some how?

ip nat inside source list Allow_NAT interface Dialer0 overload


If you only remove inspection, you will still have the inbound ACL on Dialer which will drop most traffic. With inspection, traffic initiated from the inside will be let through like this.

If you decide to remove inspection, you need to modify the ACL: Internet_Inbound to allow traffic.

Warm Regards,