02-03-2002 10:29 PM - edited 03-08-2019 09:44 PM
ios firewalling on c2620 router slow down web response time.
but cpu and memory utilization is very low.
it is about 10~15%.
memory on c2620 is 64mb.
here is some of configuration.
ip insepect name xxx cuseeme timeout 3600
ip insepect name xxx ftp timeout 3600
ip insepect name xxx http timeout 5000
ip insepect name xxx rcmd timeout 3600
ip insepect name xxx realaudio timeout 3600
ip insepect name xxx smtp timeout 3600
ip insepect name xxx tftp timeout 60
ip insepect name xxx udp timeout 60
ip insepect name xxx tcp timeout 3600
ip audit notify log
ip audit po max-events 100
!
interface fastethernet 0/0
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
ip access-group 102 out
no ip proxy-arp
ip inspect xxx in
speed 10
half-duplex
fair-queue
!
interface serial0/0
no ip address
no ip proxy-arp
encapsulation frame-relay IETF
no ip moute-cache
no fair-queue
clockrate 768000
frame-relay lmi-type ansi
!
interface serial0/0.1 point-to-point
ip address x.x.x.x 255.255.255.252
ip access-group 111 in
service-policy input mark-inbound-http-hacks
no arp frame-relay
frame-relay interface dlci xx
!
interface serial 0/1
no ip address
encapsulation frame-relay IETF
fair-queue 64 256 0
frame-relay lmi-type ansi
!
interface serial 0/1.1 point-to-point
ip address x.x.x.x 255.255.255.252
frame-relay interface dlci xx
!
roter ospf 1234
network x.x.x.x 0.0.0.0 area 0
!
ip classless
no ip http server
!
access-list 101 permit tcp 10.10.0.0 0.0.255.255 any
access-list 101 permit udp 10.10.0.0 0.0.255.255 any
access-list 101 permit icmp 10.10.10.0 0.0.255.255 any
access-list 101 permit icmp 1.1.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 111 deny ip any any redirect log
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.10.10.0 0.0.0.255 any log
access-list 111 deny ip host 0.0.0.0 any
access-list 111 permit ospf any any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp anyh any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any any
access-list 111 deny ip any any
anything wrong??
02-03-2002 10:38 PM
access-list 102 is
deny ip any any dscp 1 log
permit ip any any
thanks...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide