[c-nsp] 2611xm slowed to crawl, ip based filter...

Jeff Johnson jeff at comfrey.net
Wed Sep 8 19:39:14 EDT 2004 

So i have modified per the suggestions of everyone.  everything looks 
good,

the one bizzarro issue that i am uncertain of is when i turn on the 
firewall rules my outgoing mail server is unable to resolve some domain 
names.  which i am having trouble making sense of this because our 
primary name server is inside the firewall.  i am able to dig the names 
fine.  I might chalk it up to a fluke and try again, but just for kicks 
i will float out my config one more time.

I haven't run nessus with the changes and i think this will be the true 
test.

Thanks again for all of the help.

-Jeff

Current configuration : 1512 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname foo
!
enable secret 5 XXXXX
enable password 7 XXXXX
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
!
!
!
interface Null0
!
interface FastEthernet0/0
  description inside
  ip address X.X.X.190 255.255.255.192
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  no ip mroute-cache
  speed 100
  full-duplex
!
interface FastEthernet0/1
  description outside
  ip address X.X.X.205 255.255.255.252
  ip access-group 101 in
  ip route-cache flow
  speed 100
  full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.206
no ip http server
ip pim bidir-enable
!
!
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip X.X.X.128 0.0.0.63 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit icmp any any
access-list 101 permit tcp any any range ftp-data ftp
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any host X.X.X.129 eq domain
access-list 101 permit tcp any host X.X.X.129 eq domain
access-list 101 permit tcp any host X.X.X.148 eq smtp
!
line con 0
line aux 0
line vty 0 4
  password 7 XXXXXXXX
  login
!
!
end



On Sep 8, 2004, at 1:30 PM, Rodney Dunn wrote:

> You should just do:
>
> ip route 0.0.0.0 0.0.0.0 <nexthopip>
> no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
>
>
> To make it safe do it this way:
>
> a) save the config as is
> b) reload in 2   /* that will reload in 2 minutes*/
> c) make change
> d) if you are still in after the change do "reload cancel"
> e) if not, it will reload in 2 minutes on it's own and come
>    back up with the old config.

More information about the cisco-nsp mailing list