Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

871 downloads get slower and slower 2

Status
Not open for further replies.

shaferbus

MIS
Dec 7, 2002
130
US
I'm far from an IOS expert, so I'm hoping that someone can tell me if I have a configuration problem or a hardware problem.

Our office network is behind a Cisco 871 router connected to a T1, with 512 Kb/s dedicated to internet bandwidth (the rest is for voice lines). Over the past several months, we have been having problems with slow internet downloads. At first, it was just large files (2+ Mb, not THAT large...), and only sometimes. The file starts downloading fine, and then the download speeds drops off to nothing. I know the speed indication in the IE download dialog isn't exactly a scientific measurement, but it would start off at 100+ Kb/s, but after a few hundred Kb, it would start dropping until it reached bytes/sec speeds, and eventually fail. Now it's degraded to the point that web pages with a lot of graphics take a long time to load, and downloading a file of any size (like AV updates) is practically impossible!

If I bypass the router and connect my PC directly to the ISP's WAN connection, the problem disappears.

The weird thing is, internet speed tests (connected through the router) show a download rate that is well within normal parameters for our connection, even if I run it while a simple PDF download has slowed to 90 bytes/sec!

I've replaced cables to and from the router, power cycled everything multiple times, and unplugged everything but the router and my PC, with no effect.

The IOS configuration (below) has not been altered in at least 6 months. Can anyone see anything there that would cause a cumulative problem, or does it sound like the 871 is FUBAR?
Any other suggestions?

Thanks

Code:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <<password cipher>>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.61 192.168.16.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.16.0 255.255.255.0
   dns-server 216.135.95.2 64.132.94.250 
   default-router 192.168.16.1 
!
ip dhcp pool <<server>>
   host 192.168.16.2 255.255.255.0
   hardware-address 00c0.9f10.d8a6
!
ip dhcp pool <<A PC>>
   host 192.168.16.3 255.255.255.0
   hardware-address 0016.41ef.439d
!
ip dhcp pool <<Another PC>>
   host 192.168.16.4 255.255.255.0
   hardware-address 000d.6071.7798
!
ip dhcp pool <<Yet Another PC>>
   host 192.168.16.14 255.255.255.0
   hardware-address 0040.ca36.35b3
!
ip dhcp pool <<Printer>>
   host 192.168.16.13 255.255.255.0
   hardware-address 0000.f0a2.9947
!
ip dhcp pool <<Another Printer>>
   host 192.168.16.30 255.255.255.0
   hardware-address 0880.1fff.22b1
!
ip dhcp pool <<Yet Another Printer>>
   host 192.168.16.60 255.255.255.0
   hardware-address 0000.aaad.9445
!
ip dhcp pool Shop
   host 192.168.16.5 255.255.255.0
   hardware-address 0040.f473.55aa
!
ip dhcp pool maintenance2
   host 192.168.16.6 255.255.255.0
   hardware-address 0009.6bf3.a799
!
ip dhcp pool shopmgr
   host 192.168.16.7 255.255.255.0
   hardware-address 0040.2b4d.cfea
!
ip dhcp pool mezzanine
   host 192.168.16.8 255.255.255.0
   hardware-address 0001.29d3.9cd4
!
!
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 802-11-iapp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.135.95.2
ip name-server 64.132.94.250
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1834174675
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1834174675
 revocation-check none
 rsakeypair TP-self-signed-1834174675
!
!
crypto pki certificate chain TP-self-signed-1834174675
 certificate self-signed 01
  <<All the Certificate Stuff>>
  quit
username admin privilege 15 secret 5 <<Password>>
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group SHAFERVPN
 key <<VPN Key>>
 dns 192.168.16.1 192.168.16.2
 wins 192.168.16.2
 domain <<Our Domain>>
 pool SDM_POOL_1
 acl 105
 include-local-lan
 pfs
 max-users 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 600
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip address 66.192.xxx.xxx 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip classless
ip route 0.0.0.0 0.0.0.0 66.192.43.1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.16.14 80 interface FastEthernet4 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any eq www
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082 log
access-list 100 permit udp host 192.168.16.2 eq domain any
access-list 100 permit tcp any any eq 4443
access-list 100 deny   ip 66.192.xxx.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) ntp.twtelecom.net
access-list 101 permit udp host 207.250.222.200 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit ip host 192.168.17.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.55 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.55 192.168.16.0 0.0.0.255
access-list 101 permit udp any host 66.192.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host 66.192.xxx.xxx eq isakmp
access-list 101 permit esp any host 66.192.xxx.xxx
access-list 101 permit ahp any host 66.192.xxx.xxx
access-list 101 remark Auto generated by SDM for NTP (123) nist1-ny.witime.net
access-list 101 permit udp host 208.184.49.9 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit udp host 64.132.94.250 eq domain any
access-list 101 permit udp host 216.135.95.2 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082 log
access-list 101 remark SSL
access-list 101 permit tcp any any eq 4443
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any host 66.192.xxx.xxx echo-reply
access-list 101 permit icmp any host 66.192.xxx.xxx time-exceeded
access-list 101 permit icmp any host 66.192.xxx.xxx unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.55
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.55
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175186
ntp server 207.250.222.200 source FastEthernet4 prefer
end

 
Update:

I started playing with components of my configuration, and when I remove Outbound Rule DEFAULT100 from fe4, download performance seems normal. Reapply the rule, and downloads slow to nothing.

Anyone see what's wrong? I'm afraid I'm not familiar enough with Inspect rules to see it...

THANKS!
 
Oops - my mistake - it was the INBOUND access group 101 that seemed to make a difference when I removed it from fe4. I'm just turning things on and off to see what affects download speed, and I got my directions confused [blush]

Weird thing is, it will work OK for a while even after I turn ACL 101 back on, but after a couple of downloads, things go back to SNAFU :(

Incidentally, I got a strange message when I turned the inbound rules back on on both the fe4 and vlan1 side:

"The selected interface is configured for both NAT and ACL. This configuration might affect Address Translation. Do you want to continue?"
Is that normal?
 
How many people are in the office? Have you tried testing after hours when you are the only user behind the router?
 
Sorry - I should have provided more detail...

There are 12 users during office hours, plus a couple of servers. My first thought was that someone was being a bandwidth hog, so I've tried it after hours, and have even unplugged the entire network from the router - just my PC plugged in directly to one of the fe ports. That had no effect on the problem.

I was pretty much resigned to it being a hardware problem, because it has gotten progressively worse, and I haven't made any changes to the programming in at least 6 months. It's only since I was playing with disabling ACL's last night that I'm thinking software again.

Any thoughts on how an ACL would cause this?
 
Hmm... If it's been getting gradually worse, has there been an increase in usage, or a change in applications being used in this network?

For ACL101, the only thing I see wrong with it is that it's really long and inefficient. Might want to try this after-hours, but with some fanciful wildcard masking I'm pretty sure this will do the same thing as your current 101:

access-list 101 remark Outbound rules
access-list 101 permit udp host 207.250.222.200 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 deny ip 192.168.16.48 0.0.1.1 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.16.48 0.0.1.7 192.168.16.0 0.0.0.255
access-list 101 permit udp any host 66.192.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host 66.192.xxx.xxx eq isakmp
access-list 101 permit esp any host 66.192.xxx.xxx
access-list 101 permit ahp any host 66.192.xxx.xxx
access-list 101 permit udp host 208.184.49.9 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit udp host 64.132.94.250 eq domain any
access-list 101 permit udp host 216.135.95.2 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082 log
access-list 101 remark SSL
access-list 101 permit tcp any any eq 4443
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any host 66.192.xxx.xxx echo-reply
access-list 101 permit icmp any host 66.192.xxx.xxx time-exceeded
access-list 101 permit icmp any host 66.192.xxx.xxx unreachable
access-list 101 deny ip any any


CCNP, CCDP
 
Also, what are the memory and cpu usage stats on the router when it's slow? With all those stateful inspections, long ACLs and IPSec tunneling, that router does have a lot of work to do. Do a "show process cpu" and "show process memory" during normal operations and slow operations.

CCNP, CCDP
 
Thanks!
I'll run memory and cpu stats now and after every one goes home, and also before and after making the recommended ACL changes, and post the results.

The only change we have made in network apps is adding an extranet website, which added the following lines:

Code:
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
.
.
.
.
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082 log
.
.
.
.
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082 log
Would this have caused a large increase in router workload?

Do you have any recommendations on the inspection rules, or any "rule of thumb" on what should be inspected?

Actually, we're expecting to add another VPN connection... is it time for a hardware upgrade?
 
Your "ip tcp adjust-mss" command should be on the interface terminating your vpn connections. Make sure the value you set matches what the other side of the vpn is using as well.

Also, add the following.
Code:
interface null0
   no ip unreachables
That will stop your router from sending ICMP unreachables every time your access-lists drop a packet.

I also saw a bunch of "log" entries on your access-lists. Be carefull of how you use that feature as it will slow down the router if it has to log a bunch.
 
Thanks baddos

I just noticed the "log" entries myself, and have shut them off, but I should probably turn them back on when I run the stats that quadratic suggested, just so we can see if they are causing issues.....? Perhaps that's the whole issue, since I'm currently downloading a 150MB file at rates from 50-100 Kb/s with the logging turned off.

As for the ip tcp adjust-mss entries, they should be on the WAN interface on both sides of the tunnel? I set up the EasyVPN using SDM, where I assume (read "can't remember" lol) the entries came from. I just checked the 870 series Cisco config guide, and in their example they have it applied to the vlan interface, so I'm a bit confused about that. (The rates are the same on both ends BTW).

On the ip unreachables, I see what you mean... but should I be permitting icmp traffic at all? I know I have seen in some documents something to the effect that icmp should be allowed only if you're debugging...? I will add the code you suggested unless and until I deny icmp traffic.

Thanks!
 
If you turn that logging on, is there an immediate difference? If so, since it's the only recent change that added logging, I'm going to bet "access-list 101 permit tcp any any eq 8082 log" is the culprit.

CCNP, CCDP
 
Personally I would recommend upgrading to a Cisco 1941 if you have 12
machines plus your servers.
 
The no ip unreachables under the Null0 interface disables the router generating unreachables when an access-list or policy map drops a packet. This helps save processor overhead on the router if you are getting a lot of access-list denies.
 
I think I'll do some testing over the next few business days with logging on and off to see if that's really the issue, but at least MY downloads seem to be normal now. I'll have to gather some user input to make sure everyone sees improvement, then I'll turn logging back on and see what happens.

I did run the cpu and memory processes, and didn't see a huge difference between having the logging off (and no ip unreachables on null0)and the original config - but then I'm not familiar with reading those numbers and don't really know what I'm looking at LOL. I hate to waste everyone's time with lengthly before-and-afters of both outputs. If anyone knows what values might be significant, I can post whatever is relevant.

Baddos and quadratic - thank you again for the great suggestions and explanations!

Brianinms - thanks for the recommendation! Do you still think the 1941 would be appropriate assuming that we add another VPN? (Perhaps that's a subject for another post...)

I'll post further when I can say with more certainty which suggestion had the major effect.
 
Well, despite all of the great suggestions, it appears that we're back to square one [evil]. I can only assume that implementing the changes above must have reset something that has built back up to irritating levels.

Right now, SDM monitoring shows CPU running at under 5% utilization, and memory at under 25%, but we can't download a file of any significant size, and a web page with Flash content takes (seriously!) 10-20 minutes to load.

Here's the "show process" output for cpu and memory. Can anyone hazard a guess on where the problem lies?

Code:
show process cpu                                                        
CPU utilization for five seconds: 2%/0%; one minute: 5%; five minutes: 6
PID RuntimeInvoked  uSecs    5Sec    1Min    5Min    TTYProcess         
   1     12       58      206   0.00%   0.00%   0.00%  0Chunk Manager   
   2    180    47916        3   0.00%   0.00%   0.00%  0Load Meter      
   3    120   239578        0   0.00%   0.00%   0.00%  0Spanning Tree   
   41548348    93234    16607   0.32%   0.66%   0.67%  0Check heaps     
   5      8       70      114   0.00%   0.00%   0.00%  0Pool Manager    
   6      0        2        0   0.00%   0.00%   0.00%  0Timers          
   7      0        1        0   0.00%   0.00%   0.00%  0Crash writer    
   8   3740    16915      221   0.00%   0.00%   0.00%  0ARP Input       
   9      0        2        0   0.00%   0.00%   0.00%  0ATM Idle Timer  
  10      0      927        0   0.00%   0.00%   0.00%  0AAA high-capacit
  11      0        1        0   0.00%   0.00%   0.00%  0AAA_SERVER_DEADT
  12      0        1        0   0.00%   0.00%   0.00%  0Policy Manager  
  13      0        2        0   0.00%   0.00%   0.00%  0DDR Timers      
  14      0        2        0   0.00%   0.00%   0.00%  0Entity MIB API  
  15   4196    52957       79   0.00%   0.00%   0.00%  0EEM ED Syslog   
  16     20    23959        0   0.00%   0.00%   0.00%  0HC Counter Timer
  17      0        2        0   0.00%   0.00%   0.00%  0Serial Backgroun
  18      0        1        0   0.00%   0.00%   0.00%  0RO Notify Timers
  19      0        1        0   0.00%   0.00%   0.00%  0RMI RM Notify Wa
  20      0        2        0   0.00%   0.00%   0.00%  0SMART           
  21     32   239576        0   0.00%   0.00%   0.00%  0GraphIt         
  22      4        2     2000   0.00%   0.00%   0.00%  0Dialer event    
  23      0        1        0   0.00%   0.00%   0.00%  0SERIAL A'detect 
  24      0        1        0   0.00%   0.00%   0.00%  0Inode Table Dest
  25      0        1        0   0.00%   0.00%   0.00%  0Critical Bkgnd  
  26     80   143773        0   0.00%   0.00%   0.00%  0Net Background  
  27      0        3        0   0.00%   0.00%   0.00%  0IDB Work        
  28   1032    49190       20   0.00%   0.00%   0.00%  0Logger          
  29     12   239551        0   0.00%   0.00%   0.00%  0TTY Background  
  30    160   239591        0   0.00%   0.00%   0.00%  0Per-Second Jobs 
  31      0     1997        0   0.00%   0.00%   0.00%  0DHCPD Timer     
  32      0        2        0   0.00%   0.00%   0.00%  0AggMgr Process  
  33      0        1        0   0.00%   0.00%   0.00%  0Token Daemon    
  34    268  1247355        0   0.00%   0.00%   0.00%  0LED Timers      
  35    272  1597120        0   0.00%   0.00%   0.00%  0WLAN LED Timers 
  36      0        2        0   0.00%   0.00%   0.00%  0AUX             
  37    100       10    10000   0.00%   0.00%   0.00%  0ESWPPM          
  38      0        2        0   0.00%   0.00%   0.00%  0Eswilp Storm Con
  39     16       63      253   0.24%   0.02%   0.00%  0Exec            
  40     28       12     2333   0.00%   0.00%   0.00%  0Switch Link Moni
  41 228212  1197553      190   0.40%   0.29%   0.27%  0COLLECT STAT COU
  42    296     2033      145   0.00%   0.00%   0.00%  0Net Input       
  43     36    47918        0   0.00%   0.00%   0.00%  0Compute load avg
  44  47940     4042    11860   0.00%   0.02%   0.00%  0Per-minute Jobs 
  45     20       71      281   0.00%   0.00%   0.00%  0IGMP Snooping Pr
  46     28       71      394   0.00%   0.00%   0.00%  0IGMP Snooping Re
  47     44   239593        0   0.00%   0.00%   0.00%  0Crypto Device Up
  48    536     5246      102   0.00%   0.00%   0.00%  0Crypto Hardware 
  49      0        2        0   0.00%   0.00%   0.00%  0Multi-ISA Event 
  50      0        1        0   0.00%   0.00%   0.00%  0Multi-ISA Cleanu
  51     32      999       32   0.00%   0.00%   0.00%  0crypto engine pr
  52      0       10        0   0.00%   0.00%   0.00%  0Crypto Batch    
  53     12   239558        0   0.00%   0.00%   0.00%  0PI MATM Aging Pr
  54      0        2        0   0.00%   0.00%   0.00%  0DTP Protocol    
  55      0        6        0   0.00%   0.00%   0.00%  0dot1x           
  56     12   239569        0   0.00%   0.00%   0.00%  0linktest        
  57      0        2        0   0.00%   0.00%   0.00%  0Dot11 Mgmt & Ass
  58     16      351       45   0.00%   0.00%   0.00%  0CRYPTO IKMP IPC 
  59      0        2        0   0.00%   0.00%   0.00%  0Dot11 aaa proces
  60      0        2        0   0.00%   0.00%   0.00%  0Dot11 auth Dot1x
  61      0        1        0   0.00%   0.00%   0.00%  0Dot11 Mac Auth  
  62      0        2        0   0.00%   0.00%   0.00%  0AAA Dictionary R
  63     16      193       82   0.00%   0.00%   0.00%  0AAA Server      
  64      0        1        0   0.00%   0.00%   0.00%  0AAA ACCT Proc   
  65      0        1        0   0.00%   0.00%   0.00%  0ACCT Periodic Pr
  67 156636   390417      401   0.08%   0.20%   0.21%  0IP Input        
  68      0        1        0   0.00%   0.00%   0.00%  0ICMP event handl
  69      4        3     1333   0.00%   0.00%   0.00%  0PPP Hooks       
  71      0        1        0   0.00%   0.00%   0.00%  0SSS Manager     
  72      8    31945        0   0.00%   0.00%   0.00%  0SSS Test Client 
  73      0        1        0   0.00%   0.00%   0.00%  0SSS Feature Mana
  74    180   935914        0   0.00%   0.00%   0.00%  0SSS Feature Time
  75      0        1        0   0.00%   0.00%   0.00%  0VPDN call manage
  76      0        1        0   0.00%   0.00%   0.00%  0L2X Socket proce
  77      0        1        0   0.00%   0.00%   0.00%  0L2X SSS manager 
  78      0        2        0   0.00%   0.00%   0.00%  0L2TP mgmt daemon
  79      8     4040        1   0.00%   0.00%   0.00%  0IP Background   
  80     12     4172        2   0.00%   0.00%   0.00%  0IP RIB Update   
  81      0        2        0   0.00%   0.00%   0.00%  0PPP IP Route    
  82      0        2        0   0.00%   0.00%   0.00%  0PPP IPCP        
  83    964   359284        2   0.00%   0.00%   0.00%  0CEF process     
  84      0       11        0   0.00%   0.00%   0.00%  0L2MM            
  85      8       71      112   0.00%   0.00%   0.00%  0MRD             
  86      0        1        0   0.00%   0.00%   0.00%  0IGMPSN          
  87  15684   519256       30   0.08%   0.00%   0.00%  0DHCPD Receive   
  88      0        1        0   0.00%   0.00%   0.00%  0SNMP Timers     
  89   1964   467848        4   0.00%   0.00%   0.00%  0Inspect process 
  90      0     3996        0   0.00%   0.00%   0.00%  0DHCPD Database  
  91      0      799        0   0.00%   0.00%   0.00%  0Authentication P
  92      0        1        0   0.00%   0.00%   0.00%  0Auth-proxy AAA B
  93    896   259439        3   0.00%   0.00%   0.00%  0Socket Timers   
  94      0        2        0   0.00%   0.00%   0.00%  0Dialer Forwarder
  95      8     3995        2   0.00%   0.00%   0.00%  0Adj Manager     
  96     64     2471       25   0.00%   0.00%   0.00%  0TCP Timer       
  97      4        3     1333   0.00%   0.00%   0.00%  0TCP Protocols   
  98  93464    59519     1570   5.32%   2.76%   2.72%  0HTTP CORE       
  99      0        1        0   0.00%   0.00%   0.00%  0IP Traceroute   
 100      8     3994        2   0.00%   0.00%   0.00%  0IP Cache Ager   
 101      0        1        0   0.00%   0.00%   0.00%  0RARP Input      
 102      0        2        0   0.00%   0.00%   0.00%  0PPP Bind        
 103      0        2        0   0.00%   0.00%   0.00%  0PPP SSS         
 104      4        2     2000   0.00%   0.00%   0.00%  0SCTP Main Proces
 105      0        2        0   0.00%   0.00%   0.00%  0URL filter proc 
 106      0        3        0   0.00%   0.00%   0.00%  0Crypto HW Proc  
 107      0        2        0   0.00%   0.00%   0.00%  0ENABLE AAA      
 108      0        1        0   0.00%   0.00%   0.00%  0EM Background Pr
 109      0        1        0   0.00%   0.00%   0.00%  0Key chain liveke
 110      0        2        0   0.00%   0.00%   0.00%  0LINE AAA        
 111    104      445      233   0.00%   0.00%   0.00%  0LOCAL AAA       
 112      0        2        0   0.00%   0.00%   0.00%  0TPLUS           
 113      0        2        0   0.00%   0.00%   0.00%  0AAA Cached Serve
 114      0        3        0   0.00%   0.00%   0.00%  0Crypto WUI      
 115      0        2        0   0.00%   0.00%   0.00%  0Crypto Support  
 116     16      195       82   0.00%   0.00%   0.00%  0Crypto ACL      
 117      0        1        0   0.00%   0.00%   0.00%  0CRYPTO QoS proce
 118      0        1        0   0.00%   0.00%   0.00%  0Crypto INT      
 119   3680     4914      748   0.00%   0.00%   0.00%  0Crypto IKMP     
 120    316    13062       24   0.00%   0.00%   0.00%  0IPSEC key engine
 121      0        1        0   0.00%   0.00%   0.00%  0IPSEC manual key
 122     64      123      520   0.00%   0.00%   0.00%  0Crypto PAS Proc 
 123     20        6     3333   0.00%   0.00%   0.00%  0Crypto CA       
 124      0        1        0   0.00%   0.00%   0.00%  0Crypto PKI-CRL  
 125      0        1        0   0.00%   0.00%   0.00%  0Crypto SSL      
 126      0        1        0   0.00%   0.00%   0.00%  0encrypt proc    
 127    124     3058       40   0.00%   0.00%   0.00%  0Key Proc        
 128      0        1        0   0.00%   0.00%   0.00%  0GDOI GM Process 
 129     28   123473        0   0.00%   0.00%   0.00%  0PM Callback     
 130      0        2        0   0.00%   0.00%   0.00%  0Control-plane ho
 131     48      358      134   0.00%   0.00%   0.00%  0AAA SEND STOP EV
 132      0        3        0   0.00%   0.00%   0.00%  0EEM ED CLI      
 133      0        2        0   0.00%   0.00%   0.00%  0EEM ED Counter  
 134      0        2        0   0.00%   0.00%   0.00%  0EEM ED Interface
 135      0        3        0   0.00%   0.00%   0.00%  0EEM ED IOSWD    
 136      0        2        0   0.00%   0.00%   0.00%  0EEM ED Memory-th
 137      0        2        0   0.00%   0.00%   0.00%  0EEM ED None     
 138      0        2        0   0.00%   0.00%   0.00%  0EEM ED OIR      
 139      0        2        0   0.00%   0.00%   0.00%  0EEM ED Resource 
 140      0        2        0   0.00%   0.00%   0.00%  0EEM ED SNMP     
 141      0     4058        0   0.00%   0.00%   0.00%  0EEM ED Timer    
 142      0        2        0   0.00%   0.00%   0.00%  0EEM ED Track    
 143     16    47938        0   0.00%   0.00%   0.00%  0EEM Server      
 144      0    23961        0   0.00%   0.00%   0.00%  0RMON Recycle Pro
 145      0        2        0   0.00%   0.00%   0.00%  0RMON Deferred Se
 146      0        1        0   0.00%   0.00%   0.00%  0Syslog Traps    
 147      4        2     2000   0.00%   0.00%   0.00%  0VLAN Manager    
 149      0        2        0   0.00%   0.00%   0.00%  0EEM Policy Direc
 150   1696    12289      138   0.00%   0.00%   0.00%  0Syslog          
 151      0        1        0   0.00%   0.00%   0.00%  0VPDN Scal       
 153      8     8311        0   0.00%   0.00%   0.00%  0CEF Scanner     
 154  65664      367   178920   0.00%   0.00%   0.00%  0crypto sw pk pro
 155      0        1        0   0.00%   0.00%   0.00%  0tHUB            
 156      0        2        0   0.00%   0.00%   0.00%  0tENM            
 157     16      135      118   0.00%   0.00%   0.00%  0SSH Event handle
 158     88   467860        0   0.00%   0.00%   0.00%  0IP NAT Ager     
 159      0        1        0   0.00%   0.00%   0.00%  0IP NAT WLAN     
 160     80     2464       32   0.00%   0.00%   0.00%  0IP VFR proc     
 161      0        2        0   0.00%   0.00%   0.00%  0IP Flow Backgrou
 162    592   242185        2   0.00%   0.00%   0.00%  0NTP             
                                                                        
show process memory                                                     
Processor Pool Total:   85030612 Used:   18699540 Free:   66331072      
      I/O Pool Total:   12582912 Used:    2551168 Free:   10031744      
                                                                        
PID TTY    AllocatedFreed    Holding Getbufs Retbufs Process            
   0      0 36865096 1747146817539464     514  192261*Init*             
   0      0    12128  9003620   12128       0       0*Sched*            
   0      0340510448341128824  193548       9       4*Dead*             
   1      0  2193020  1418140  781972       0       0Chunk Manager      
   2      0      252      252    4092       0       0Load Meter         
   3      0      164        0    7256  119798  119798Spanning Tree      
   4      0     3352      252   10192       0       0Check heaps        
   5      0   112216  1006144   14112      45       0Pool Manager       
   6      0      252      252    7092       0       0Timers             
   7      0        0        0   25092       0       0Crash writer       
   8      0        0        0    7092   13044   13044ARP Input          
   9      0      252      252    7092       0       0ATM Idle Timer     
  10      0      252      252    7092       0       0AAA high-capacit   
  11      0        0        0    7092       0       0AAA_SERVER_DEADT   
  12      0        0        0   13092       0       0Policy Manager     
  13      0      252      252    7092       0       0DDR Timers         
  14      0     1336        0    8428      18      18Entity MIB API     
  15      0      856        0   10872   69810   69778EEM ED Syslog      
  16      0        0        0    7092       0       0HC Counter Timer   
  17      0      252      252    7092       0       0Serial Backgroun   
  18      0        0        0    7092       0       0RO Notify Timers   
  19      0        0        0    4092       0       0RMI RM Notify Wa   
  20      0      252      252    7092       0       0SMART              
  21      0      252      252    7092       0       0GraphIt            
  22      0      252      252   13092       0       0Dialer event       
  23      0        0        0    7092       0       0SERIAL A'detect    
  24      0        0        0    4092       0       0Inode Table Dest   
  25      0        0        0    7092       0       0Critical Bkgnd     
  26      0    21792        0   13608      56      56Net Background     
  27      0      324      324   13092       0       0IDB Work           
  28      0    80532      252   13092   60381   60381Logger             
  29      0    53228      496    7204       0       0TTY Background     
  30      0        0        0   10092       0       0Per-Second Jobs    
  31      0        0      928    7092       0       0DHCPD Timer        
  32      0        0        0    7092       0       0AggMgr Process     
  33      0        0        0    7092       0       0Token Daemon       
  34      0      252      252    7092       0       0LED Timers         
  35      0        0        0    7092       0       0WLAN LED Timers    
  36      0      404      252    7092       0       0AUX                
  37      0    16884     2964   10700       0       0ESWPPM             
  38      0      404      252    4244       0       0Eswilp Storm Con   
  39      0     8884     5208   16580       0       0Exec               
  40      0     1160     1160    7092       0       0Switch Link Moni   
  41      0      252      252    7092       0       0COLLECT STAT COU   
  42      0        0        0    7092    2033    2033Net Input          
  43      0      252      252    7092       0       0Compute load avg   
  44      0    10504      844    7092     110     110Per-minute Jobs    
  45      0        0        0    4092     172     172IGMP Snooping Pr   
  46      0        0        0    4092     210     210IGMP Snooping Re   
  47      0        0        0   10092       0       0Crypto Device Up   
  48      0    95788    94180   14700    3598    3598Crypto Hardware    
  49      0        0        0    7092       1       1Multi-ISA Event    
  50      0        0        0    7092       0       0Multi-ISA Cleanu   
  51      0   112088    66888    8680     233     233crypto engine pr   
  52      0      252      252    7092       0       0Crypto Batch       
  53      0      252      252    7092       0       0PI MATM Aging Pr   
  54      0     2500      252    9340       0       0DTP Protocol       
  55      0      252      252    7092       0       0dot1x              
  56      0        0        0    7092       0       0linktest           
  57      0      252      252    7092       0       0Dot11 Mgmt & Ass   
  58      0        0        0    7092       0       0CRYPTO IKMP IPC    
  59      0      252      252   10092       0       0Dot11 aaa proces   
  60      0      252      252   10092       0       0Dot11 auth Dot1x   
  61      0        0        0    7092       0       0Dot11 Mac Auth     
  62      0      252      252    7092       0       0AAA Dictionary R   
  63      0      252      252    7092       0       0AAA Server         
  64      0        0        0    7092       0       0AAA ACCT Proc      
  65      0        0        0    7092       0       0ACCT Periodic Pr   
  67      0151844548  1741560  196308  490427  596434IP Input           
  68      0        0        0    7092       0       0ICMP event handl   
  69      0      504      504   13092       0       0PPP Hooks          
  71      0        0        0   13092       0       0SSS Manager        
  72      0        0        0   13092       0       0SSS Test Client    
  73      0        0        0    7092       0       0SSS Feature Mana   
  74      0        0        0    7092       0       0SSS Feature Time   
  75      0        0        0   13092       0       0VPDN call manage   
  76      0        0        0   13092       0       0L2X Socket proce   
  77      0        0        0   13092       0       0L2X SSS manager    
  78      0      252      252   13092       0       0L2TP mgmt daemon   
  79      0       76        0   10168       0       0IP Background      
  80      0      164        0   10256       0       0IP RIB Update      
  81      0      252      252   13092       0       0PPP IP Route       
  82      0      252      252   13092       0       0PPP IPCP           
  83      0    73600        0   73600       0       0CEF process        
  84      0      444      156    7536      16      16L2MM               
  85      0        0        0    7092      70      70MRD                
  86      0        0        0    7092       0       0IGMPSN             
  87      0   162036      252  159764     481     481DHCPD Receive      
  88      0        0        0    7092       0       0SNMP Timers        
  89      0   792964148769520   92840   76950   76950Inspect process    
  90      0      204        0    7296       0       0DHCPD Database     
  91      0        0        0    7092       0       0Authentication P   
  92      0        0        0    7092       0       0Auth-proxy AAA B   
  93      0        0        0    7092       0       0Socket Timers      
  94      0      252      252    7092       0       0Dialer Forwarder   
  95      0      252      252   10092       0       0Adj Manager        
  96      0        0     2584   13092      11      11TCP Timer          
  97      0    13280        0   13092       0       0TCP Protocols      
  98      0 34268140 25232900   19468    5544    5544HTTP CORE          
  99      0        0        0    7092       0       0IP Traceroute      
 100      0        0   787440    7092       0       0IP Cache Ager      
 101      0        0        0    7092       0       0RARP Input         
 102      0      252      252    7092       0       0PPP Bind           
 103      0      252      252    7092       0       0PPP SSS            
 104      0     5304      252   12144       0       0SCTP Main Proces   
 105      0     1192      252    8032       0       0URL filter proc    
 106      0      504      504    7092       2       2Crypto HW Proc     
 107      0      252      252    7092       0       0ENABLE AAA         
 108      0        0        0    7092       0       0EM Background Pr   
 109      0        0        0    7092       0       0Key chain liveke   
 110      0      252      252    7092       0       0LINE AAA           
 111      0   116840     5500    8644       0       0LOCAL AAA          
 112      0     1036      252    7876       0       0TPLUS              
 113      0      252      252    7092       0       0AAA Cached Serve   
 114      0   108868      556  117404       0       0Crypto WUI         
 115      0      252      252    7092       0       0Crypto Support     
 116      0   102336   196504   70964       0       0Crypto ACL         
 117      0        0        0    7092       0       0CRYPTO QoS proce   
 118      0        0        0    7092       0       0Crypto INT         
 119      0  8885624  8509136  178948    6109    6109Crypto IKMP        
 120      0   631076    87700  477360     123     123IPSEC key engine   
 121      0        0        0    7092       0       0IPSEC manual key   
 122      0     5096        0    7092       0       0Crypto PAS Proc    
 123      0     1436      652    9876       1       1Crypto CA          
 124      0        0        0    9092       0       0Crypto PKI-CRL     
 125      0        0        0    9092       0       0Crypto SSL         
 126      0        0        0    7092       0       0encrypt proc       
 127      0        0        0    9092       0       0Key Proc           
 128      0        0        0    7092       0       0GDOI GM Process    
 129      0        0     3220    7092       0       0PM Callback        
 130      0      252      252    7092       0       0Control-plane ho   
 131      0    52248   395064    7092       0       0AAA SEND STOP EV   
 132      0        0        0   10092       0       0EEM ED CLI         
 133      0        0        0   10092       0       0EEM ED Counter     
 134      0        0        0   10092       0       0EEM ED Interface   
 135      0        0        0   10092       0       0EEM ED IOSWD       
 136      0        0        0   10092       0       0EEM ED Memory-th   
 137      0        0        0   10092       0       0EEM ED None        
 138      0        0        0   10092       0       0EEM ED OIR         
 139      0       76        0   10168       0       0EEM ED Resource    
 140      0        0        0   10092       0       0EEM ED SNMP        
 141      0        0        0   10092       0       0EEM ED Timer       
 142      0        0        0   10092       0       0EEM ED Track       
 143      0    13408     3684   17476       0       0EEM Server         
 144      0      252      252    7092       0       0RMON Recycle Pro   
 145      0      252      252    7092       0       0RMON Deferred Se   
 146      0        0        0    7092       0       0Syslog Traps       
 147      0     8368     1640   13664       0       0VLAN Manager       
 149      0    10012      252   19192       0       0EEM Policy Direc   
 150      0  8083224  8083224   13092   30222   30222Syslog             
 151      0        0        0    7092       0       0VPDN Scal          
 153      0      164        0    7256       0       0CEF Scanner        
 154      0  3130556  3139160    9632      27      27crypto sw pk pro   
 155      0      252        0   25344       0       0tHUB               
 156      0      504      252   13344       0       0tENM               
 157      0    17968        0   11392       2       2SSH Event handle   
 158      0      252      252    7092       0       0IP NAT Ager        
 159      0        0        0    7092       0       0IP NAT WLAN        
 160      0        0        0    7092       0       0IP VFR proc        
 161      0      252      252    7092       0       0IP Flow Backgrou   
 162      0      800      252    7640    5169    5169NTP                
                             21239292Total
 
Here's the latest running config.
I reversed the changes in ACL 101 suggested by quadratic because VPN wouldn't work...

Code:
!This is the running config of the router: 192.168.16.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.61 192.168.16.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.16.0 255.255.255.0
   dns-server 216.135.95.2 64.132.94.250 
   default-router 192.168.16.1 
!
ip dhcp pool Shafers
   host 192.168.16.2 255.255.255.0
   hardware-address 00c0.9f10.d8a6
!
ip dhcp pool Drivecam
   host 192.168.16.3 255.255.255.0
   hardware-address 0016.41ef.439d
!
ip dhcp pool ITService
   host 192.168.16.4 255.255.255.0
   hardware-address 000d.6071.7798
!
ip dhcp pool Drivers
   host 192.168.16.14 255.255.255.0
   hardware-address 0040.ca36.35b3
!
ip dhcp pool Xerox
   host 192.168.16.13 255.255.255.0
   hardware-address 0000.f0a2.9947
!
ip dhcp pool Sharp
   host 192.168.16.30 255.255.255.0
   hardware-address 0880.1fff.22b1
!
ip dhcp pool Phaser
   host 192.168.16.60 255.255.255.0
   hardware-address 0000.aaad.9445
!
ip dhcp pool Shop
   host 192.168.16.5 255.255.255.0
   hardware-address 0040.f473.55aa
!
ip dhcp pool maintenance2
   host 192.168.16.6 255.255.255.0
   hardware-address 0009.6bf3.a799
!
ip dhcp pool shopmgr
   host 192.168.16.7 255.255.255.0
   hardware-address 0040.2b4d.cfea
!
ip dhcp pool mezzanine
   host 192.168.16.8 255.255.255.0
   hardware-address 0001.29d3.9cd4
!
!
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.135.95.2
ip name-server 64.132.94.250
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxx
 certificate self-signed 01

xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
<<certificate junk>>
xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx

  quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxx privilege 15 view root secret 5 xxxxxxxxxxxxxxxxxxxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group SHAFERVPN
 key xxxxxxxxxxxxxxxxxxxx
 dns 192.168.16.1 192.168.16.2
 wins 192.168.16.2
 domain SHAFERBUS
 pool SDM_POOL_1
 acl 105
 include-local-lan
 pfs
 max-users 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 600
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip address 66.192.xxx.xxx 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip classless
ip route 0.0.0.0 0.0.0.0 66.192.43.1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.14 80 interface FastEthernet4 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any eq www
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082
access-list 100 permit udp host 192.168.16.2 eq domain any
access-list 100 permit tcp any any eq 4443
access-list 100 deny   ip 66.192.43.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) ntp.twtelecom.net
access-list 101 permit udp host 207.250.222.200 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit ip host 192.168.17.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.55 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.55 192.168.16.0 0.0.0.255
access-list 101 permit udp any host 66.192.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host 66.192.xxx.xxx eq isakmp
access-list 101 permit esp any host 66.192.xxx.xxx
access-list 101 permit ahp any host 66.192.xxx.xxx
access-list 101 remark Auto generated by SDM for NTP (123) nist1-ny.witime.net
access-list 101 permit udp host 208.184.49.9 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit udp host 64.132.94.250 eq domain any
access-list 101 permit udp host 216.135.95.2 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082
access-list 101 remark SSL
access-list 101 permit tcp any any eq 4443
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any host 66.192.xxx.xxx echo-reply
access-list 101 permit icmp any host 66.192.xxx.xxx time-exceeded
access-list 101 permit icmp any host 66.192.xxx.xxx unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.55
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.55
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175199
ntp server 207.250.222.200 source FastEthernet4 prefer
end
 
Still wrestling with this problem, and I'm stumped. I've tried playing with the ACL's and Inspection rules, but the only way I have succeeded in getting consistant performance is to disable the ACL's entirely on the inside and outside interfaces AND the inspection rules - all at once.

In researching the problem, I ran across this article: which mentions an IOS bug (CSCsv78844) which caused similar symptoms, but I don't have access to the Bug Toolkit to see if it applies to v. 12.4(4)T7 :(

Is anyone familiar with this? Does it sound likely?

I guess it's time to subscribe to SMARTnet so I have access to this stuff... how is their support on IOS issues?
 
My cisco 871 router is recently suffering identical symptoms.

The moment an access-list is specified on the incoming side of the outward facing port (FastEthernet4 in this case) the download speed quickly drops to single digit bytes per second. Remove the ACL and the download speed is back to normal. This slowdown occurs even with a one-line non-logging inbound ACL: "access-list deny ip any any"

Oddly, this has only started happening recently and your's is not the only recent post I have seen on this issue.

Again, the router has worked fine for a few years. When the problem first started I looked at the files on the router. There seemed to be a lot of crash dumps. After deleting the dump files, without changing anything else, the problem seemed to go away for a few days. Now the problem is back and there seems to be no explanation (but no more dump files).

I wonder if it is a flash memory fragmentation issue. If so, it may be a terminal planned obsolescence as there is no flash squeeze function in the 871 that I have been able to find.

Anyone have any ideas?
 
Why don't you save the config. Do a write erase. Add your inside and outside NAT statements. Then your ip nat inside source statements. And your NAT ACL. Your static route ip route 0.0.0.0 0.0.0.0 66.192.43.1. Then test your connection from the inside interface.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top