Cisco 871 General Config - DHCP not working

[sackohammers]

Hello. I'm new to Cisco. Have the cookbook. Spent several hours over the last several days looking at examples and coming up with my own config. I usually don't ask for handouts, but I need some help to stay sane. I'm at the point now where I need to ask for help - just to get things up and running.

Below is my config. It likely has many mistakes. Right now, I can't DHCP working on the inside.

Cisco 871.
Port FE4 is connected to my cable modem. Its getting its address from the cable modem (DHCP) just fine. It even has DNS enabled and I can ping out successfully by hostname.

Port FE0 is for a guest VLAN - VLAN 21. This is for guests like my inlaws to plug in their virus-ridden laptops when they come over. So it doesn't affect my machines. Currently, DHCP isn't working here.

Port FE1-3 is for VLAN 11 where I'll have my machines.
This is where DHCP is failing. My machines inside are not getting an address from the router.

I have no idea what I'm doing with firewalls and it is possible the firewall settings I have are getting in the way. The firewall config I do have on there was taken from the tutorial over at tech-republic.

Any help is greatly appreciated. Please help me get DHCP up and running. Also, any advice on making the firewall more secure is greatly appreciated. With my current knowledge I wouldn't know if I were leaving any gaping holes open or not. Once I get the thing up and running, then I want to endeavor to understand more about the firewall configuration and learn on my own.
Eventually, I'll want to implement QoS (for gaming, no VOIP). If there is an easy way to implement that, I'd appreciate advice there as well.

Config pasted below:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
ip domain name <Removed by Poster>
!
crypto key generate rsa
1024
ip ssh time-out 120
ip ssh authentication-retries 4
ip ssh version 2
!
!
ip cef
!
! I might be missing some passwords here
line con 0
no modem enable
line aux 0
line vty 0 4
! This line removes "Telnet" as the default command when in terminal mode - to prevent timeouts when a typo is entered
transport preferred none
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
service dhcp
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name <Removed by Poster>
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name <Removed by Poster>
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
! Dynamic DNS to update IP address with no-IP.com
ip ddns update method MYUPDATE
HTTP
add

http://<Removed

by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
! remove

http://<Removed

by Poster>:<Removed by Poster>%40dynupdate.no-ip.com/nic/update%3Fhostname=<Removed by Poster>
interval maximum 0 0 2 0
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret <Removed by Poster>
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 21
no shut
!
interface FastEthernet1
switchport access vlan 11
no shut
!
interface FastEthernet2
switchport access vlan 11
no shut
!
interface FastEthernet3
switchport access vlan 11
no shut
!
interface FastEthernet4
! Dynamic DNS to update IP address with no-IP.com
ip ddns update hostname <Removed by Poster>
ip ddns update MYUPDATE
!
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect MYFW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface VLAN11
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
!
interface VLAN21
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly
!
! ip forward-protocol udp
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
! Turning off diag info to improve security
no cdp run
!
!
!
!
control-plane
!
banner login ^C
+--------------------------------------------------------------------+
/ WARNING /
/ ------- /
/ This system is solely for the use of authorized users for official /
/ purposes. You have no expectation of privacy in its use and to /
/ ensure that the system is functioning properly, individuals using /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel. Use of this system /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal /
/ activity, system personnel may provide the results of such /
/ monitoring to appropriate officials. /
+--------------------------------------------------------------------+
^C
!
!
scheduler max-task-time 5000
end

FW#

 

[Minue]

Hello
Please post the complete conf,no that the router can get to the WEB.Then take out the IPS and the IOS firewall.Just do a :
conf t
interface FastEthernet4
no ip inspect MYFW out

Don't see any access-list apply to the interface but if there's one take it out as well.
The IPS and CBAC may be slowing you down.So lets test to see.
Regards

 

[burtsbees]

holy crap i totally missed your CBAC config, my bad...it's been one of dem days. disregard what i said about applying hte acl to your interface..."

Uncle, uncle, uncle...how can CBAC inspect traffic and know what to do without an acl applied to an interface? That's the way CBAC works, as I understand it. Its main purpose is to allow outbound connections with legit laayer 7 dealios to pass and come back in, but deny outside-in. Kind of like the "established" keyword at the end of an acl, but inspecting L7 (for like invalid smtp verbs, etc.).

I do not see CBAC even working anything here. It does not come into play.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sackohammers]

FW#sh run
Building configuration...

Current configuration : 4637 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret 5 <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name karass.com
dns-server 10.10.10.150
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name karass.com
dns-server 10.10.10.150
lease 4
!
!
ip domain name karass.com
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW cuseeme
ip inspect name MYFW dns
ip inspect name MYFW ftp
ip inspect name MYFW h323
ip inspect name MYFW https
ip inspect name MYFW imap
ip inspect name MYFW pop3
ip inspect name MYFW netshow
ip inspect name MYFW rcmd
ip inspect name MYFW realaudio
ip inspect name MYFW esmtp
ip inspect name MYFW sqlnet
ip inspect name MYFW streamworks
ip inspect name MYFW tftp
ip inspect name MYFW vdolive
ip ddns update method MYUPDATE
HTTP
add

http://<Removed

by Poster>:<Removed by Poster>/nic/update%3Fhostname=<Removed by Poster>
interval maximum 0 0 2 0
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret 5 <Removed by Poster>
!
!
archive
log config
hidekeys
!
!
ip ssh authentication-retries 4
ip ssh version 2
!
!
!
interface FastEthernet0
switchport access vlan 21
!
interface FastEthernet1
switchport access vlan 11
!
interface FastEthernet2
switchport access vlan 11
!
interface FastEthernet3
switchport access vlan 11
!
interface FastEthernet4
ip ddns update hostname <Removed by Poster>
ip ddns update MYUPDATE
ip address dhcp
ip access-group ACL-INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan11
description Internal Network
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan21
description Guest Network
ip address 10.10.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list standard ACL-NAT
permit 10.10.10.0 0.0.0.255
permit 10.10.20.0 0.0.0.255
!
ip access-list extended ACL-INBOUND
permit icmp any any
permit udp any eq bootps any eq bootpc
permit udp host 192.5.41.41 eq ntp any eq ntp
deny ip any any log
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
banner login ^CC
+--------------------------------------------------------------------+
/ WARNING /
/ ------- /
/ This system is solely for the use of authorized users for official /
/ purposes. You have no expectation of privacy in its use and to /
/ ensure that the system is functioning properly, individuals using /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel. Use of this system /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal /
/ activity, system personnel may provide the results of such /
/ monitoring to appropriate officials. /
+--------------------------------------------------------------------+
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport preferred none
!
scheduler max-task-time 5000
end

!
!

 

[sackohammers]

Ok guys. I had an old buddy try to help me. I'm not sure if he helped or made things more complicated. hehe.

Again, its sort of working. I can browse the web, but for many sites its slower. Often times pictures don't load. Wired.com takes forever to load for example. Here is my "show run":

FW#sh run
Building configuration...

Current configuration : 4637 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret 5 <Removed by Poster>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
ip dhcp pool VLAN11
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.254
   domain-name karass.com
   dns-server 10.10.10.150
   lease 4
!
ip dhcp pool VLAN21
   import all
   network 10.10.20.0 255.255.255.0
   default-router 10.10.20.254
   domain-name karass.com
   dns-server 10.10.10.150
   lease 4
!
!
ip domain name karass.com
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW cuseeme
ip inspect name MYFW dns
ip inspect name MYFW ftp
ip inspect name MYFW h323
ip inspect name MYFW https
ip inspect name MYFW imap
ip inspect name MYFW pop3
ip inspect name MYFW netshow
ip inspect name MYFW rcmd
ip inspect name MYFW realaudio
ip inspect name MYFW esmtp
ip inspect name MYFW sqlnet
ip inspect name MYFW streamworks
ip inspect name MYFW tftp
ip inspect name MYFW vdolive
ip ddns update method MYUPDATE
 HTTP
  add [URL unfurl="true"]http://<Removed[/URL] by Poster>:<Removed by Poster>/nic/update%3Fhostname=<Removed by Poster>
 interval maximum 0 0 2 0
 interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret 5 <Removed by Poster>
!
!
archive
 log config
  hidekeys
!
!
ip ssh authentication-retries 4
ip ssh version 2
!
!
!
interface FastEthernet0
 switchport access vlan 21
!
interface FastEthernet1
 switchport access vlan 11
!
interface FastEthernet2
 switchport access vlan 11
!
interface FastEthernet3
 switchport access vlan 11
!
interface FastEthernet4
 ip ddns update hostname <Removed by Poster>
 ip ddns update MYUPDATE
 ip address dhcp
 ip access-group ACL-INBOUND in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip inspect MYFW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan11
 description Internal Network
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan21
 description Guest Network
 ip address 10.10.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list standard ACL-NAT
 permit 10.10.10.0 0.0.0.255
 permit 10.10.20.0 0.0.0.255
!
ip access-list extended ACL-INBOUND
 permit icmp any any
 permit udp any eq bootps any eq bootpc
 permit udp host 192.5.41.41 eq ntp any eq ntp
 deny   ip any any log
ip access-list extended Internet-inbound-ACL
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
banner login ^CC
+--------------------------------------------------------------------+
/                              WARNING                               /
/                              -------                               /
/ This system is solely for the use of authorized users for official /
/ purposes.  You have no expectation of privacy in its use and to    /
/ ensure that the system is functioning properly, individuals using  /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel.  Use of this system    /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal  /
/ activity, system personnel may provide the results of such         /
/ monitoring to appropriate officials.                               /
+--------------------------------------------------------------------+
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport preferred none
!
scheduler max-task-time 5000
end

!
!

 

[sackohammers]

Here is "show int fa1"

FW#sh int fa1
FastEthernet1 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0024.14db.0e65 (bia 0024.14db.0e65)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     6622 packets input, 1259346 bytes, 0 no buffer
     Received 98 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7500 packets output, 7095199 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
FW#

 

[sackohammers]

Here is "show int fa4"

FW#sh int fa4
FastEthernet4 is up, line protocol is up
  Hardware is PQUICC_FEC, address is 0024.14db.0e6e (bia 0024.14db.0e6e)
  Internet address is 67.9.163.19/20
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:18, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 9000 bits/sec, 20 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     30979 packets input, 8554626 bytes
     Received 23935 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     5667 packets output, 978120 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
FW#

Thanks,
Hammers

 

[burtsbees]

I gave you an MTU solution---try that.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sackohammers]

Ah, ok. I thought you said to only do that if I had ADSL.

I'll give the first command you listed there a try.

Thanks.

 

[sackohammers]

I added "ip tcp adjust-mss 1452" to fa4 and the VLANs. This didn't improve performance.

 

[sackohammers]

Is it normal to see all this being logged to my serial session?

*Sep 26 02:14:39.407: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2831), 1 packet
*Sep 26 02:14:49.251: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.149                                       .121(80) -> 67.9.163.19(2695), 1 packet
*Sep 26 02:14:59.535: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2920), 1 packet
*Sep 26 02:15:25.279: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2915), 1 packet
*Sep 26 02:15:29.391: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.206                                       .60(80) -> 67.9.163.19(2276), 1 packet
*Sep 26 02:15:49.711: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.17.                                       27(80) -> 67.9.163.19(2685), 1 packet
*Sep 26 02:15:51.135: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.15.                                       125(80) -> 67.9.163.19(2290), 1 packet
*Sep 26 02:19:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.15.                                       242(80) -> 67.9.163.19(2701), 5 packets
*Sep 26 02:19:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2831), 2 packets
*Sep 26 02:19:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.149                                       .121(80) -> 67.9.163.19(2695), 7 packets
*Sep 26 02:20:19.807: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 124.120.2                                       36.29(8109) -> 67.9.163.19(64993), 1 packet
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2920), 6 packets
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2915), 5 packets
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2908), 6 packets
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.206                                       .60(80) -> 67.9.163.19(2276), 4 packets
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.17.                                       27(80) -> 67.9.163.19(2685), 2 packets
*Sep 26 02:20:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 65.55.15.                                       125(80) -> 67.9.163.19(2290), 4 packets
*Sep 26 02:21:41.043: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 222.173.1                                       47.28(1128) -> 67.9.163.19(1434), 1 packet
*Sep 26 02:25:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2920), 3 packets
*Sep 26 02:25:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2915), 4 packets
*Sep 26 02:25:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2908), 3 packets
*Sep 26 02:36:05.847: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 218.113.1                                       46.5(21578) -> 67.9.163.19(64993), 1 packet
*Sep 26 02:40:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 124.120.2                                       36.29(8109) -> 67.9.163.19(64993), 1 packet
*Sep 26 02:41:12.043: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 218.16.23                                       9.244(60273) -> 67.9.163.19(22), 1 packet
*Sep 26 02:46:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 218.16.23                                       9.244(60273) -> 67.9.163.19(22), 1 packet
*Sep 26 02:55:05.695: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 74.63.225                                       .44(12200) -> 67.9.163.19(9090), 1 packet
*Sep 26 02:56:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 218.113.1                                       46.5(21578) -> 67.9.163.19(64993), 1 packet
*Sep 26 02:59:40.547: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 61.160.21                                       6.63(12200) -> 67.9.163.19(9090), 1 packet
*Sep 26 03:05:57.827: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.82(80) -> 67.9.163.19(2831), 5 packets
*Sep 26 03:06:36.183: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 208.83.20                                       .130(6667) -> 67.9.163.19(1024), 1 packet
*Sep 26 03:06:37.467: %FW-6-DROP_PKT: Dropping tcp session 74.125.47.148:80 10.1                                       0.10.18:3049  due to  Stray Segment with ip ident 34787 tcpflags 0x5004 seq.no 4                                       058932078 ack 0
*Sep 26 03:07:42.691: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied tcp 24.143.19                                       2.88(80) -> 67.9.163.19(3063), 1 packet

 

[Minue]

Hello
Did you try the test I posted in my last post.Please try this and tell us if things have improve.

conf t
interface FastEthernet4
no ip inspect MYFW out
ip access-group ACL-INBOUND in

Also kill one of the double NAT statements the or the other.

no ip nat inside source list ACL-NAT interface FastEthernet4 overload

no ip access-list standard ACL-NAT
permit 10.10.10.0 0.0.0.255
permit 10.10.20.0 0.0.0.255

Regards

 

[sackohammers]

Ok. I tried those and it broke. I couldn't get anything out at all. I copied the "sh run" and will paste it below.

I entered:
ip inspect MYFW out
no ip access-group ACL-INBOUND in

so that I could access the internet again.

FW#show run
Building configuration...

Current configuration : 4456 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PM1I$bW8hhUl2Md.6eehLiunMR1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
 --More--
*Sep 26 05:08:12.243: %SEC-6-IPACCESSLOGP: list ACL-INBOUND denied udp 24.93.41.127(53) -> 67.9.163.19(61157),aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
ip dhcp pool VLAN11
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.254
   domain-name karass.com
   dns-server 10.10.10.150
   lease 4
!
ip dhcp pool VLAN21
   import all
   network 10.10.20.0 255.255.255.0
   default-router 10.10.20.254
   domain-name karass.com
   dns-server 10.10.10.150
   lease 4
!
!
ip domain name karass.com
ip inspect log drop-pkt
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW cuseeme
ip inspect name MYFW dns
ip inspect name MYFW ftp
ip inspect name MYFW h323
ip inspect name MYFW https
ip inspect name MYFW imap
ip inspect name MYFW pop3
ip inspect name MYFW netshow
ip inspect name MYFW rcmd
ip inspect name MYFW realaudio
ip inspect name MYFW esmtp
ip inspect name MYFW sqlnet
ip inspect name MYFW streamworks
ip inspect name MYFW tftp
ip inspect name MYFW vdolive
ip ddns update method MYUPDATE
 HTTP
  add [URL unfurl="true"]http://tivot22%40hotmail.com:bulldog%40dynupdate.no-ip.com/nic/update%3Fhostname=mountain.servebeer.com[/URL]
 interval maximum 0 0 2 0
 interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
!
username rtradmin secret 5 $1$NntU$qAy55cfp9lR52JaMm/gVC0
!
!
archive
 log config
  hidekeys
!
!
ip ssh authentication-retries 4
ip ssh version 2
!
!
!
interface FastEthernet0
 switchport access vlan 21
!
interface FastEthernet1
 switchport access vlan 11
!
interface FastEthernet2
 switchport access vlan 11
!
interface FastEthernet3
 switchport access vlan 11
!
interface FastEthernet4
 ip ddns update hostname mountain.servebeer.com
 ip ddns update MYUPDATE
 ip address dhcp
 ip access-group ACL-INBOUND in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan11
 description Internal Network
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan21
 description Guest Network
 ip address 10.10.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended ACL-INBOUND
 permit icmp any any
 permit udp any eq bootps any eq bootpc
 permit udp host 192.5.41.41 eq ntp any eq ntp
 deny   ip any any log
ip access-list extended Internet-inbound-ACL
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
banner login ^CC
+--------------------------------------------------------------------+
/                              WARNING                               /
/                              -------                               /
/ This system is solely for the use of authorized users for official /
/ purposes.  You have no expectation of privacy in its use and to    /
/ ensure that the system is functioning properly, individuals using  /
/ this computer system are subject to having all of their activities /
/ monitored and recorded by system personnel.  Use of this system    /
/ evidences an express consent to such monitoring and agreement that /
/ if such monitoring reveals evidence of possible abuse or criminal  /
/ activity, system personnel may provide the results of such         /
/ monitoring to appropriate officials.                               /
+--------------------------------------------------------------------+
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport preferred none
!
scheduler max-task-time 5000
end

FW#

 

[sackohammers]

Wups. Posted some info I shouldn't have. Changing passwords to everything now, LOL.

 

[sackohammers]

I would just about kill for an "Edit Post" button about right now.

 

[Minue]

Hi
Don't worry we don't have much hackers around here.In any case those two commands couldn't have stop the access to the WEB.What I am tryng to do is let you configure a very basic conf first.If it works correctly,then it's the Firewall or DDNS that ae slowing things down.What you're trying do is very simple.My network at home is exactly like yours.
To do this copy your present conf in a safe place,do a "erase startup" then reload and paste the below conf.Let us know how it goes.

Conf t
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
boot-start-marker
boot-end-marker
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.100 10.10.10.254
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
ip dhcp pool VLAN11
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name karass.com
dns-server 10.10.10.150
lease 4
!
ip dhcp pool VLAN21
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name karass.com
dns-server 10.10.10.150
lease 4


!
interface FastEthernet0
switchport access vlan 21
!
interface FastEthernet1
switchport access vlan 11
!
interface FastEthernet2
switchport access vlan 11
!
interface FastEthernet3
switchport access vlan 11
!
interface FastEthernet4
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan11
description Internal Network
ip address 10.10.10.254 255.255.255.0
ip nat inside


!
interface Vlan21
description Guest Network
ip address 10.10.20.254 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!

ip nat inside source list 1 interface FastEthernet4 overload
!

access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
no cdp run
!

!
control-plane
!

!
line con 0
no modem enable
line aux 0
line vty 0 4
transport preferred none
!
end



Regards

 

[sackohammers]

Ok, I did a write erase and started over with the basic config you listed here.

Its still pretty laggy. I'm also getting a lot of timeouts like before. For example, it took almost a minute to load slashdot.org's website.

CNN came right up one time... almost instantly. The next time, it timed out trying to load it.
Wired.com took 45 seconds or so to load the front page.

I went to logitech.com and it timed out. I opened another browser window, typed in logitech.com and it loaded in less than 5 seconds.

Sometimes when I load a page... it'll load in general, but most of the pictures won't load and I'll just see an X or the alt text for the picture.

 

[burtsbees]

Do a ping -t

http://www.google.com

for about 5 minutes. You may have a bad cable. Also, go to speakeasy.com and do a bandwidth speed test, like 5 times and take the average.. Do you have another comp to test with?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

ok, now would be a good time to see the output from show interface f4 as well as sh int vlan21 and sh int vlan11

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Uncle, nothing to do on a Sunday? lol

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sackohammers]

Ok.

I ran a ping -t and times looked good. I also like to use WinMTR and I posted a link to my output. Not one dropped and the averages look good.

I'm doing testing here with three machines (one is my server). I get the same behaviour on all three machines. DNS lookups are almost instant, so I know its not DNS holding me up.

Its not cabeling because I'm using the exact same cables. All I'm doing is taking the cable from my switch and the cable from my cable modem and have moved them from my D-Link to the Cisco.

If I switch everything back to the D-Link, reboot the cable modem, the switch, the D-Link, renew the IPs on my workstations, then web browsing is faster. When I repeat all of that and go to the Cisco, then I get the problems.

Here are the requested "sh int" results:

FW#show interface fa4
FastEthernet4 is up, line protocol is up
  Hardware is PQUICC_FEC, address is 0024.14db.0e6e (bia 0024.14db.0e6e)
  Internet address is 67.9.163.19/20
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 16000 bits/sec, 30 packets/sec
  5 minute output rate 6000 bits/sec, 9 packets/sec
     279283 packets input, 38538058 bytes
     Received 256978 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     17491 packets output, 2519894 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
FW#

FW#sh int vlan11
Vlan11 is up, line protocol is up
  Hardware is EtherSVI, address is 0024.14db.0e64 (bia 0024.14db.0e64)
  Description: Internal Network
  Internet address is 10.10.10.254/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 7000 bits/sec, 11 packets/sec
  5 minute output rate 7000 bits/sec, 12 packets/sec
     18818 packets input, 2752882 bytes, 0 no buffer
     Received 458 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     22713 packets output, 22713846 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
FW#

I'm not using anything on VLAN21 yet, but here it is anyway.

FW#sh int vlan21
Vlan21 is up, line protocol is down
  Hardware is EtherSVI, address is 0024.14db.0e64 (bia 0024.14db.0e64)
  Description: Guest Network
  Internet address is 10.10.20.254/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
FW#

Here are the results from my speakeasy tests (From Austin to Dallas):
1) down 14,591
up 483

2) down 16,304
up 491

3) down 17,401
up 491

4) down 15,109
up 493

5) down 16,259
up 490

Those speeds look reasonable. It seems like its something in the initial connection with a remote host. It either connects or it doesn't.

Like, when I went to download WinMTR again. I went to the website and selected download... it just sat there for about a minute. Finally I clicked on the download link again and it connected downloaded very quickly.

Thanks,
Hammers