×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ios firewalling on c2620 problem..

Unanswered Question
Feb 3rd, 2002
User Badges:

ios firewalling on c2620 router slow down web response time.

but cpu and memory utilization is very low.

it is about 10~15%.

memory on c2620 is 64mb.


here is some of configuration.


ip insepect name xxx cuseeme timeout 3600

ip insepect name xxx ftp timeout 3600

ip insepect name xxx http timeout 5000

ip insepect name xxx rcmd timeout 3600

ip insepect name xxx realaudio timeout 3600

ip insepect name xxx smtp timeout 3600

ip insepect name xxx tftp timeout 60

ip insepect name xxx udp timeout 60

ip insepect name xxx tcp timeout 3600

ip audit notify log

ip audit po max-events 100

!

interface fastethernet 0/0

ip address x.x.x.x 255.255.255.0

ip access-group 101 in

ip access-group 102 out

no ip proxy-arp

ip inspect xxx in

speed 10

half-duplex

fair-queue

!

interface serial0/0

no ip address

no ip proxy-arp

encapsulation frame-relay IETF

no ip moute-cache

no fair-queue

clockrate 768000

frame-relay lmi-type ansi

!

interface serial0/0.1 point-to-point

ip address x.x.x.x 255.255.255.252

ip access-group 111 in

service-policy input mark-inbound-http-hacks

no arp frame-relay

frame-relay interface dlci xx

!

interface serial 0/1

no ip address

encapsulation frame-relay IETF

fair-queue 64 256 0

frame-relay lmi-type ansi

!

interface serial 0/1.1 point-to-point

ip address x.x.x.x 255.255.255.252

frame-relay interface dlci xx

!

roter ospf 1234

network x.x.x.x 0.0.0.0 area 0

!

ip classless

no ip http server

!

access-list 101 permit tcp 10.10.0.0 0.0.255.255 any

access-list 101 permit udp 10.10.0.0 0.0.255.255 any

access-list 101 permit icmp 10.10.10.0 0.0.255.255 any

access-list 101 permit icmp 1.1.1.0 0.0.0.255 any

access-list 101 deny ip any any


access-list 111 deny ip any any redirect log

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log

access-list 111 deny ip 10.10.10.0 0.0.0.255 any log

access-list 111 deny ip host 0.0.0.0 any

access-list 111 permit ospf any any

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp anyh any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any any

access-list 111 deny ip any any


anything wrong??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
iwan2u Sun, 02/03/2002 - 22:38
User Badges:

access-list 102 is

deny ip any any dscp 1 log

permit ip any any


thanks...


Actions

This Discussion