[c-nsp] 2611xm slowed to crawl, ip based filter...
Jeff Johnson
jeff at comfrey.net
Wed Sep 8 02:47:05 EDT 2004
Hey all,
Below is an excerpt from my config on a 2611xm. I set this up last
friday night and foolishly walked away. Upon checking in the next day
i found that the network had slowed to a crawl and i could not even
connect vi a ssh. the connections would time out.
Is this acl processor bound or is there some fundamental flaw in its
design?
i am new to cisco based firewalls, so please go easy on me.
the following section was generated by configmaker.
I appreciate the help,
-Jeff
!
interface Ethernet 0/0
no shutdown
description connected to EthernetLAN
ip address X.X.X.190 255.255.255.192
ip access-group 100 in
keepalive 10
!
interface Ethernet 0/1
no shutdown
description connected to Internet
ip address X.X.X.205 255.255.255.252
ip access-group 101 in
keepalive 10
!
!
! Access Control List 101
!
no access-list 101
access-list 101 deny ip X.X.X.128 0.0.0.63 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host X.X.X.131 eq www
access-list 101 permit tcp any host X.X.X.131 eq 443
access-list 101 permit tcp any host X.X.X.131 eq 143
access-list 101 permit icmp any host X.X.X.131
access-list 101 permit tcp any host X.X.X.131 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.131 eq pop3
access-list 101 deny ip any host X.X.X.131
access-list 101 permit tcp any host X.X.X.150 eq 22
access-list 101 permit tcp any host X.X.X.150 eq 443
access-list 101 permit icmp any host X.X.X.150
access-list 101 permit tcp any host X.X.X.150 eq www
access-list 101 deny ip any host X.X.X.150
access-list 101 permit tcp any host X.X.X.150 range ftp-data ftp
access-list 101 permit udp any host X.X.X.129 eq domain
access-list 101 deny ip any host X.X.X.129
access-list 101 deny ip any host X.X.X.148
access-list 101 permit tcp any host X.X.X.148 eq 22
access-list 101 permit tcp any host X.X.X.148 eq smtp
access-list 101 permit icmp any host X.X.X.148
access-list 101 permit tcp any host X.X.X.148 eq www
access-list 101 permit tcp any host X.X.X.148 eq 443
access-list 101 deny ip any host X.X.X.141
access-list 101 permit tcp any host X.X.X.130 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.130
access-list 101 permit tcp any host X.X.X.130 eq 443
access-list 101 permit tcp any host X.X.X.130 eq www
access-list 101 permit tcp any host X.X.X.130 eq 143
access-list 101 permit tcp any host X.X.X.130 eq pop3
access-list 101 deny ip any host X.X.X.130
access-list 101 permit tcp any host X.X.X.132 eq 143
access-list 101 permit tcp any host X.X.X.132 eq pop3
access-list 101 permit icmp any host X.X.X.132
access-list 101 permit tcp any host X.X.X.132 eq 443
access-list 101 permit tcp any host X.X.X.132 eq www
access-list 101 permit tcp any host X.X.X.132 range ftp-data ftp
access-list 101 deny ip any host X.X.X.132
access-list 101 permit tcp any host X.X.X.133 eq www
access-list 101 permit tcp any host X.X.X.133 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.133
access-list 101 permit tcp any host X.X.X.133 eq pop3
access-list 101 permit tcp any host X.X.X.133 eq 143
access-list 101 permit tcp any host X.X.X.133 eq 443
access-list 101 deny ip any host X.X.X.133
access-list 101 permit icmp any host X.X.X.134
access-list 101 permit tcp any host X.X.X.134 eq www
access-list 101 permit tcp any host X.X.X.134 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.134 eq pop3
access-list 101 permit tcp any host X.X.X.134 eq 443
access-list 101 permit tcp any host X.X.X.134 eq 143
access-list 101 deny ip any host X.X.X.134
access-list 101 permit icmp any host X.X.X.136
access-list 101 permit tcp any host X.X.X.136 eq 143
access-list 101 permit tcp any host X.X.X.136 eq pop3
access-list 101 permit tcp any host X.X.X.136 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.136 eq www
access-list 101 permit tcp any host X.X.X.136 eq 443
access-list 101 deny ip any host X.X.X.136
access-list 101 permit tcp any host X.X.X.135 eq pop3
access-list 101 permit tcp any host X.X.X.135 eq 443
access-list 101 permit tcp any host X.X.X.135 eq 143
access-list 101 permit tcp any host X.X.X.135 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.135 eq www
access-list 101 permit icmp any host X.X.X.135
access-list 101 deny ip any host X.X.X.135
access-list 101 permit tcp any host X.X.X.137 eq 443
access-list 101 permit tcp any host X.X.X.137 eq pop3
access-list 101 deny ip any host X.X.X.137
access-list 101 permit icmp any host X.X.X.137
access-list 101 permit tcp any host X.X.X.137 eq 143
access-list 101 permit tcp any host X.X.X.137 eq www
access-list 101 permit tcp any host X.X.X.137 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.138 eq 143
access-list 101 permit icmp any host X.X.X.138
access-list 101 permit tcp any host X.X.X.138 eq 443
access-list 101 permit tcp any host X.X.X.138 eq pop3
access-list 101 permit tcp any host X.X.X.138 eq www
access-list 101 permit tcp any host X.X.X.138 range ftp-data ftp
access-list 101 deny ip any host X.X.X.138
access-list 101 permit tcp any host X.X.X.147 eq pop3
access-list 101 permit icmp any host X.X.X.147
access-list 101 permit tcp any host X.X.X.147 eq 443
access-list 101 permit tcp any host X.X.X.147 eq www
access-list 101 permit tcp any host X.X.X.147 eq 143
access-list 101 deny ip any host X.X.X.147
access-list 101 permit tcp any host X.X.X.147 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.143 eq 443
access-list 101 permit tcp any host X.X.X.143 eq www
access-list 101 permit tcp any host X.X.X.143 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.143
access-list 101 permit tcp any host X.X.X.143 eq 22
access-list 101 deny ip any host X.X.X.143
access-list 101 permit tcp any X.X.X.128 0.0.0.63 eq 443
access-list 101 permit tcp any X.X.X.128 0.0.0.63 range ftp-data ftp
access-list 101 permit icmp any X.X.X.128 0.0.0.63
access-list 101 permit tcp any X.X.X.128 0.0.0.63 eq www
!
More information about the cisco-nsp
mailing list