[c-nsp] 2611xm slowed to crawl, ip based filter...
Church, Chuck
cchurch at netcogov.com
Wed Sep 8 11:02:33 EDT 2004
Jeff,
Something doesn't seem right. If it's a 2611XM, doesn't it have
fast ethernet interfaces? What router do these interface configs belong
to?
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Johnson
Sent: Wednesday, September 08, 2004 2:47 AM
To: Cisco-nsp
Subject: [c-nsp] 2611xm slowed to crawl, ip based filter...
Hey all,
Below is an excerpt from my config on a 2611xm. I set this up last
friday night and foolishly walked away. Upon checking in the next day
i found that the network had slowed to a crawl and i could not even
connect vi a ssh. the connections would time out.
Is this acl processor bound or is there some fundamental flaw in its
design?
i am new to cisco based firewalls, so please go easy on me.
the following section was generated by configmaker.
I appreciate the help,
-Jeff
!
interface Ethernet 0/0
no shutdown
description connected to EthernetLAN
ip address X.X.X.190 255.255.255.192
ip access-group 100 in
keepalive 10
!
interface Ethernet 0/1
no shutdown
description connected to Internet
ip address X.X.X.205 255.255.255.252
ip access-group 101 in
keepalive 10
!
!
! Access Control List 101
!
no access-list 101
access-list 101 deny ip X.X.X.128 0.0.0.63 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host X.X.X.131 eq www
access-list 101 permit tcp any host X.X.X.131 eq 443
access-list 101 permit tcp any host X.X.X.131 eq 143
access-list 101 permit icmp any host X.X.X.131
access-list 101 permit tcp any host X.X.X.131 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.131 eq pop3
access-list 101 deny ip any host X.X.X.131
access-list 101 permit tcp any host X.X.X.150 eq 22
access-list 101 permit tcp any host X.X.X.150 eq 443
access-list 101 permit icmp any host X.X.X.150
access-list 101 permit tcp any host X.X.X.150 eq www
access-list 101 deny ip any host X.X.X.150
access-list 101 permit tcp any host X.X.X.150 range ftp-data ftp
access-list 101 permit udp any host X.X.X.129 eq domain
access-list 101 deny ip any host X.X.X.129
access-list 101 deny ip any host X.X.X.148
access-list 101 permit tcp any host X.X.X.148 eq 22
access-list 101 permit tcp any host X.X.X.148 eq smtp
access-list 101 permit icmp any host X.X.X.148
access-list 101 permit tcp any host X.X.X.148 eq www
access-list 101 permit tcp any host X.X.X.148 eq 443
access-list 101 deny ip any host X.X.X.141
access-list 101 permit tcp any host X.X.X.130 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.130
access-list 101 permit tcp any host X.X.X.130 eq 443
access-list 101 permit tcp any host X.X.X.130 eq www
access-list 101 permit tcp any host X.X.X.130 eq 143
access-list 101 permit tcp any host X.X.X.130 eq pop3
access-list 101 deny ip any host X.X.X.130
access-list 101 permit tcp any host X.X.X.132 eq 143
access-list 101 permit tcp any host X.X.X.132 eq pop3
access-list 101 permit icmp any host X.X.X.132
access-list 101 permit tcp any host X.X.X.132 eq 443
access-list 101 permit tcp any host X.X.X.132 eq www
access-list 101 permit tcp any host X.X.X.132 range ftp-data ftp
access-list 101 deny ip any host X.X.X.132
access-list 101 permit tcp any host X.X.X.133 eq www
access-list 101 permit tcp any host X.X.X.133 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.133
access-list 101 permit tcp any host X.X.X.133 eq pop3
access-list 101 permit tcp any host X.X.X.133 eq 143
access-list 101 permit tcp any host X.X.X.133 eq 443
access-list 101 deny ip any host X.X.X.133
access-list 101 permit icmp any host X.X.X.134
access-list 101 permit tcp any host X.X.X.134 eq www
access-list 101 permit tcp any host X.X.X.134 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.134 eq pop3
access-list 101 permit tcp any host X.X.X.134 eq 443
access-list 101 permit tcp any host X.X.X.134 eq 143
access-list 101 deny ip any host X.X.X.134
access-list 101 permit icmp any host X.X.X.136
access-list 101 permit tcp any host X.X.X.136 eq 143
access-list 101 permit tcp any host X.X.X.136 eq pop3
access-list 101 permit tcp any host X.X.X.136 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.136 eq www
access-list 101 permit tcp any host X.X.X.136 eq 443
access-list 101 deny ip any host X.X.X.136
access-list 101 permit tcp any host X.X.X.135 eq pop3
access-list 101 permit tcp any host X.X.X.135 eq 443
access-list 101 permit tcp any host X.X.X.135 eq 143
access-list 101 permit tcp any host X.X.X.135 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.135 eq www
access-list 101 permit icmp any host X.X.X.135
access-list 101 deny ip any host X.X.X.135
access-list 101 permit tcp any host X.X.X.137 eq 443
access-list 101 permit tcp any host X.X.X.137 eq pop3
access-list 101 deny ip any host X.X.X.137
access-list 101 permit icmp any host X.X.X.137
access-list 101 permit tcp any host X.X.X.137 eq 143
access-list 101 permit tcp any host X.X.X.137 eq www
access-list 101 permit tcp any host X.X.X.137 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.138 eq 143
access-list 101 permit icmp any host X.X.X.138
access-list 101 permit tcp any host X.X.X.138 eq 443
access-list 101 permit tcp any host X.X.X.138 eq pop3
access-list 101 permit tcp any host X.X.X.138 eq www
access-list 101 permit tcp any host X.X.X.138 range ftp-data ftp
access-list 101 deny ip any host X.X.X.138
access-list 101 permit tcp any host X.X.X.147 eq pop3
access-list 101 permit icmp any host X.X.X.147
access-list 101 permit tcp any host X.X.X.147 eq 443
access-list 101 permit tcp any host X.X.X.147 eq www
access-list 101 permit tcp any host X.X.X.147 eq 143
access-list 101 deny ip any host X.X.X.147
access-list 101 permit tcp any host X.X.X.147 range ftp-data ftp
access-list 101 permit tcp any host X.X.X.143 eq 443
access-list 101 permit tcp any host X.X.X.143 eq www
access-list 101 permit tcp any host X.X.X.143 range ftp-data ftp
access-list 101 permit icmp any host X.X.X.143
access-list 101 permit tcp any host X.X.X.143 eq 22
access-list 101 deny ip any host X.X.X.143
access-list 101 permit tcp any X.X.X.128 0.0.0.63 eq 443
access-list 101 permit tcp any X.X.X.128 0.0.0.63 range ftp-data ftp
access-list 101 permit icmp any X.X.X.128 0.0.0.63
access-list 101 permit tcp any X.X.X.128 0.0.0.63 eq www
!
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
----------------------------------------------------------------------------
NOTE: As of 8/1/2004 my email address has changed to cchurch at netcogov.com
----------------------------------------------------------------------------
More information about the cisco-nsp
mailing list