brent87
IS-IT--Management
- Apr 2, 2009
- 4
Hey Guys,
I need some help with a cisco router firewall. I believe it has something to due with the "ip auth-proxy max-nodata-conns 1000 and ip admission max-nodata-conns 1000". The default was 3 instead of 1000 but still no change. The problem is the router will allow a connection to begin but drop it after a few secs. This is how far I get on the downloads from any machine and any download. Router config is at the bottom of the page. Any help would be great. Without the firewall enabled everything runs smoothly.
__________________________________________________ __________
$ wget --2009-03-31 13:37:01-- Resolving mirror.ebox-platform.com... 87.98.190.119
Connecting to mirror.ebox-platform.com|87.98.190.119|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 353579008 (337M) [application/x-iso9660-image]
Saving to: `ebox_live-1.0.iso.7'
0% [ ] 34,438 6.71K/s eta 14h 17m
__________________________________________________ _____________
Current configuration : 4285 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 *******
!
no aaa new-model
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.211.33 61.9.211.49
!
!
ip cef
ip name-server 61.9.211.33
ip name-server 61.9.211.49
ip inspect name SDM_LOW tcp timeout 3600
ip inspect name SDM_LOW udp timeout 15
ip auth-proxy max-nodata-conns 1000
ip admission max-nodata-conns 1000
!
!
username ***** privilege 15 secret 5 ********
!
!
!
!
!
!
interface Ethernet0
description "LAN"
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description "INTERNET"
ip address negotiated
ip access-group 102 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 7 ******
!
interface Dialer1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 1022
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq 1022
access-list 102 permit udp host 61.9.211.49 eq domain any
access-list 102 permit udp host 61.9.211.33 eq domain any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
!
scheduler max-task-time 5000
end
I need some help with a cisco router firewall. I believe it has something to due with the "ip auth-proxy max-nodata-conns 1000 and ip admission max-nodata-conns 1000". The default was 3 instead of 1000 but still no change. The problem is the router will allow a connection to begin but drop it after a few secs. This is how far I get on the downloads from any machine and any download. Router config is at the bottom of the page. Any help would be great. Without the firewall enabled everything runs smoothly.
__________________________________________________ __________
$ wget --2009-03-31 13:37:01-- Resolving mirror.ebox-platform.com... 87.98.190.119
Connecting to mirror.ebox-platform.com|87.98.190.119|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 353579008 (337M) [application/x-iso9660-image]
Saving to: `ebox_live-1.0.iso.7'
0% [ ] 34,438 6.71K/s eta 14h 17m
__________________________________________________ _____________
Current configuration : 4285 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 *******
!
no aaa new-model
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.211.33 61.9.211.49
!
!
ip cef
ip name-server 61.9.211.33
ip name-server 61.9.211.49
ip inspect name SDM_LOW tcp timeout 3600
ip inspect name SDM_LOW udp timeout 15
ip auth-proxy max-nodata-conns 1000
ip admission max-nodata-conns 1000
!
!
username ***** privilege 15 secret 5 ********
!
!
!
!
!
!
interface Ethernet0
description "LAN"
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description "INTERNET"
ip address negotiated
ip access-group 102 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 7 ******
!
interface Dialer1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 1022
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq 1022
access-list 102 permit udp host 61.9.211.49 eq domain any
access-list 102 permit udp host 61.9.211.33 eq domain any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
!
scheduler max-task-time 5000
end
