Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

nat cbac configuration using IOS firewall.

I am using a 2621 running 12.1(5) and just set up nat cbac on the router. The connection to the internet is very slow now and some pages will not open. What can I do to aleviate this problem? I am using the following config.

ip inspect name ethernetin cuseeme timeout 3600

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

ip inspect name ethernetin smtp timeout 3600

ip inspect name ethernetin sqlnet timeout 3600

ip inspect name ethernetin streamworks timeout 3600

ip inspect name ethernetin tcp timeout 3600

ip inspect name ethernetin tftp timeout 30

ip inspect name ethernetin udp timeout 15

ip inspect name ethernetin vdolive timeout 3600

!

interface Ethernet0

ip address 20.20.20.2 255.255.255.0

ip access-group 101 in

no ip directed-broadcast

ip nat inside

ip inspect ethernetin in

!

interface Ethernet1

no ip address

no ip directed-broadcast

shutdown

!

interface Serial0

ip address 150.150.150.1 255.255.255.0

ip access-group 112 in

no ip directed-broadcast

ip nat outside

clockrate 4000000

!

interface Serial1

no ip address

no ip directed-broadcast

shutdown

!

ip nat pool serialzero 150.150.150.3 150.150.150.255 netmask 255.255.255.0

ip nat inside source list 1 pool serialzero

ip classless

ip route 0.0.0.0 0.0.0.0 150.150.150.2

ip route 20.30.30.0 255.255.255.0 20.20.20.1

!

access-list 1 permit 20.0.0.0 0.255.255.255

access-list 101 permit tcp 20.0.0.0 0.255.255.255 any

access-list 101 permit udp 20.0.0.0 0.255.255.255 any

access-list 101 permit icmp 20.0.0.0 0.255.255.255 any

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 administratively-prohibited

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo

access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq telnet

access-list 112 deny ip 127.0.0.0 0.255.255.255 any

access-list 112 deny ip any any

  • Other Security Subjects
1 REPLY

Re: nat cbac configuration using IOS firewall.

Hi,

Try removing the following line from the config:

ip inspect name ethernetin http timeout 3600

This is a very CPU intensive process and does not do what most people think it does. It is used to filter java packets as they cross the router. In current times, this is probably not needed and most people can remove it.

You may also want to upgrade to later 12.2T code or 12.3 if at all possible to pick up some performance improvements that were added. Hope this helps.

Scott

134
Views
0
Helpful
1
Replies