From: Han Solo (emaillists@me.com)
Date: Thu Feb 05 2009 - 17:40:54 ARST
I have been playing with my home comcast 6 Mbit/sec homenet . I
replaced soho firewall with a Cisco 2851 to be able to play with nbar
matching more frequently to learn all that c / s header stuff. And boy
I got bit by that technology recently somewhere ;) ... My worst
problem home user ( wifey ) complains that with cbac setup so
basically config as follows , it is very slow.. I have played with
various timer settings etc , but it is indeed slowing down internet
browsing experience. So I have been playing with the old fashion
reflexive acl's and boy that really fixes things wife stops
complaining and I get dinner again , wonder if anyone else has seen
this ? Also here is a funny output from "show ip access-list internet
" which is the reflected acl when vpn'd out note the " non500-isakmp "
funny it puts that in there vs the port it is using like the other
entries ....
permit udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200
eq 64838 (6129 matches) (time left 292) ----> Reflexive acl
automaticly created when vpn'd from inside to outside with cisco vpn
solution
interface GigabitEthernet0/0
description UNTRUSTED OUTSIDE INTERFACE TO COMCAST
ip address dhcp
ip inspect outbound
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no mop enabled
end
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect max-incomplete low 2
ip inspect max-incomplete high 7
ip inspect one-minute low 2
ip inspect one-minute high 5
ip inspect udp idle-time 1
ip inspect name internet tcp
ip inspect name internet udp
permit udp host 171.70.100.8 eq non500-isakmp host 24.16.24.200
eq 64838 (6129 matches) (time left 292)
Han Solo
May the force be with you
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST