Software version is 12.3(7)T1 and the config is:
Current configuration : 10818 bytes
!
! Last configuration change at 11:55:18 UTC Fri Nov 6 2009
! NVRAM config last updated at 12:13:16 UTC Thu Nov 5 2009
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret xxxxxxxxxxxx
!
username xxxxxxxxxxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authentication ppp default local group radius
aaa authorization network groupauthor local group radius if-
authenticated
aaa session-id common
ip subnet-zero
!
!
ip domain name xxxxxxx
ip name-server 192.168.xxx
ip name-server 192.168.xxx
!
!
no ip bootp server
no ip cef
ip inspect name fwinspect udp
ip inspect name fwinspect smtp
ip inspect name fwinspect tcp
ip inspect name fwinspect cuseeme
ip inspect name fwinspect ftp
ip inspect name fwinspect rcmd
ip inspect name fwinspect realaudio
ip inspect name fwinspect streamworks
ip inspect name fwinspect vdolive
ip inspect name fwinspect sqlnet
ip inspect name fwinspect icmp
ip audit po max-events 100
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
async-bootp dns-server 192.168.xxx 192.168.xxx
async-bootp nbns-server 192.168.xxx
no ftp-server write-enable
!
!
crypto pki trustpoint xxx
revocation-check crl
!
!
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address xxx no-xauth
crypto isakmp key xxx address xxx no-xauth
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group xxx
key xxx
dns 192.168.xxx
wins 192.168.xxx
domain xxx
pool dialin
acl 111
save-password
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
!
crypto dynamic-map vpnclient 1
set transform-set cm-transformset-1
!
!
crypto map cm-cryptomap client authentication list userauthen
crypto map cm-cryptomap isakmp authorization list groupauthor
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 20 ipsec-isakmp
description VPN to xxx
set peer xxx
set transform-set cm-transformset-1
set pfs group2
match address 110
crypto map cm-cryptomap 30 ipsec-isakmp
description VPN to xxx
set peer xxx
set transform-set cm-transformset-1
set pfs group2
match address 120
crypto map cm-cryptomap 50 ipsec-isakmp dynamic vpnclient
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description Connection to ISP
ip address xxx 255.255.255.240
ip access-group 199 in
ip nat outside
speed 100
full-duplex
crypto map cm-cryptomap
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface Virtual-PPP1
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
peer default ip address pool pptp
ppp encrypt mppe auto passive
ppp authentication ms-chap-v2 ms-chap
!
interface Vlan1
ip address 192.168.xxx 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect fwinspect in
ip policy route-map no-static-nat
!
interface Virtual-TokenRing1
no ip address
shutdown
ring-speed 16
!
ip local pool pptp 192.168.xxx 192.168.xxx
ip local pool dialin 192.168.xxx 192.168.xxx
ip classless
ip route 0.0.0.0 0.0.0.0 xxx
ip route 172.22.xxx 255.255.0.0 xxx
ip route 192.168.xxx 255.255.255.0 xxx
ip route 192.168.xxx 255.255.255.0 xxx
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static tcp 192.168.xxx 20 xxx 20 extendable
ip nat inside source static tcp 192.168.xxx 21 xxx 21 extendable
ip nat inside source static tcp 192.168.xxx 25 xxx 25 extendable
ip nat inside source static tcp 192.168.xxx 587 xxx 587 extendable
ip nat inside source static tcp 192.168.xxx 993 xxx 993 extendable
ip nat inside source static tcp 192.168.xxx 995 xxx 995 extendable
ip nat inside source static tcp 192.168.xxx 3389 xxx 3389 extendable
ip nat inside source static 192.168.xxx xxx
!
!
access-list 101 remark =========Outgoing traffic=========
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit ip any 172.22.0.0 0.0.255.255
access-list 101 permit ip any 192.168.xxx 0.0.0.255
access-list 101 permit ip any 192.168.xxx 0.0.0.255
access-list 101 permit ip any 192.168.xxx 0.0.0.255
access-list 101 permit tcp host 192.168.xxx eq 3389 any established
access-list 101 permit tcp any any eq 4125
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp host 192.168.xxx any eq smtp
access-list 101 permit tcp host 192.168.xxx eq 587 any established
access-list 101 permit tcp host 192.168.xxx eq 993 any established
access-list 101 permit tcp host 192.168.xxx eq smtp any established
access-list 101 permit tcp host 192.168.xxx eq 995 any established
access-list 101 permit udp host 192.168.xxx any eq ntp
access-list 101 permit udp host 192.168.xxx any eq ntp
access-list 101 permit tcp host 192.168.xxx any eq ident
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1863
access-list 101 permit icmp 192.168.xxx 0.0.0.255 any echo
access-list 101 permit tcp any any eq 8005
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq nntp
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 123
access-list 101 permit tcp any any eq 8443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 5900
access-list 101 permit udp any any eq 80
access-list 101 permit udp any any eq 5050
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq 995
access-list 101 permit udp host 192.168.xxx any eq ntp
access-list 101 permit tcp host 192.168.xxx any eq 2703
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
access-list 101 permit udp host 192.168.xxx any
access-list 101 permit tcp host 192.168.xxx any
access-list 101 permit udp any any range 10000 20000
access-list 101 remark ====ipsec vpn===
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 105 remark =========Don't NAT VPN Traffic=========
access-list 105 deny ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255
access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
access-list 105 permit ip 192.168.xxx 0.0.0.255 any
access-list 108 remark =========not used=========
access-list 108 permit ip 192.168.xxx 0.0.0.255 any
access-list 110 remark ========xxx VPN========
access-list 110 permit ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255
access-list 110 deny ip 192.168.xxx 0.0.0.255 any
access-list 111 remark ========Cisco VPN Client========
access-list 111 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
access-list 111 deny ip 192.168.xxx 0.0.0.255 any
access-list 112 remark =======VPN traffic not to NAT==========
access-list 112 permit ip any 172.22.xxx 0.0.255.255
access-list 112 permit ip any 192.168.xxx 0.0.0.255
access-list 112 permit ip any 192.168.xxx 0.0.0.255
access-list 112 permit ip any 192.168.xxx 0.0.0.255
access-list 120 remark ========xx VPN==========
access-list 120 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
access-list 120 deny ip 192.168.xxx 0.0.0.255 any
access-list 199 remark ========Outside to Inside==========
access-list 199 deny icmp any any fragments
access-list 199 permit icmp any host xxx echo
access-list 199 permit icmp any 192.168.xxx 0.0.0.255 echo-reply
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any time-exceeded
access-list 199 deny icmp any any
access-list 199 remark ====ipsec vpn===
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 remark ====pptp vpn===
access-list 199 permit gre any any
access-list 199 permit tcp any any eq 1723
access-list 199 remark ====Email to server===
access-list 199 permit tcp any host xxx eq 993
access-list 199 permit tcp any host xxx eq smtp
access-list 199 permit tcp any host xxx eq 995
access-list 199 permit tcp any host xxx eq 587
access-list 199 remark ====Terminal services from xxx===
access-list 199 permit tcp host xxx host xxx eq 3389
access-list 199 remark ====FTP to internal server===
access-list 199 permit tcp any host xxx eq ftp
access-list 199 remark ====VOIP to xxx===
access-list 199 permit udp any host xxx eq 5060
access-list 199 permit udp any host xxx eq 4569
access-list 199 permit udp any host xxx range 10000 20000
access-list 199 remark =====Ports for xxx====
access-list 199 permit udp host xxx any eq 5050
access-list 199 permit udp host xxx any eq 80
access-list 199 permit tcp host xxx any eq 22
access-list 199 permit udp host xxx any eq 5050
access-list 199 permit udp host xxx any eq 80
access-list 199 permit tcp host xxx any eq 22
!
route-map proxy-redirect permit 10
match ip address 112
set ip next-hop 192.168.xxx
!
route-map no-static-nat permit 1
match ip address 112
set ip next-hop 1.1.1.2
!
route-map nonat permit 10
match ip address 105
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server host 192.168.xxx auth-port 1645 acct-port 1646
radius-server key 7 xxx
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period x
ntp server 192.168.xxx
ntp server 192.168.xxx
!
end
Sounds like a bug.
A few things might not work with CEF (as I vaguely recall)
but this is usually implemented by the stuff that does
not work with CEF, simply not using it even if enabled.
I do not recall that any QoS does not work with CEF.
If you point to the documents that recommend CEF
then perhaps someone may comment on them.
There has been a tendency to recommend CEF as some
sort of panacea to fix all ills but mostly there is no
special advantage to using it. (Certain load balancing
being one exception where it can pay dividends.)
What feature set do you have?
How much DRAM?
How much flash?
It's all in the sh ver
"Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version
12.4(15)T7, RELEASE SOFTWARE (fc3)
...
Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K
bytes of memory.
...
24576K bytes of processor board System flash (Intel Strataflash)"
It's best just to post the whole sh ver, perhaps removing the
"Processor board ID .............."
line to avoid possible identification?
12.3(7)T1 sounds pretty ancient. If you can why not upgrade?
Avoid T code unless you need to use it.
Image Name c1700-k9o3sy7-mz.124-25b.bin
DRAM / Min Flash 96 / 32
Enterprise Product Number S17C7HK9-12425
Might be appropriate.
IP/ADSL/FW/IDS PLUS IPSEC 3DES
In famous words of Cisco TAC - "Upgrade to latest mainline and call us
back!" :-)
Andrey.
| I'm trying to work out why enabling CEF on our 1712 causes web
| browsing to stop. I want to enable CEF so I can prioritise SIP and
| other traffic on our WAN connection and from google I understand that
| cef is the first step towards doing this. however when I enable CEF I
| get problems with normal browser traffic. The simplest way to prove
| the problem is to try to watch the BBC live news channel, after
| exactly and repeatably 29sec the stream stops.
| Perhaps there is something wrong with the config , I don't know , it
| has been working fine until I turned cef on and works fine if I turn
| it off again (which I do quickly when my users start complaining)..
| thanks for any pointers
I've had problems with CEF on point-to-point connections:
This particular problem was "fixed" in a later release in the sense that
IOS now appears to automatically disable CEF on the serial interface.
You might want to check your CEF adjacencies after the stream stops.
Dan Lanciani
ddl@danlan.*com
> Sounds like a bug.
>
I was wondering this myself.
>
> If you point to the documents that recommend CEF
> then perhaps someone may comment on them.
>
If I try:
ip nbar protocol-discovery on the wan interface
I get
CEF or distributed CEF switching is required for NBAR 'protocol
discovery' command
>
> What feature set do you have?
> How much DRAM?
> How much flash?
> It's all in the sh ver
>
sho vers
Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(7)
T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 22-Apr-04 09:44 by eaarmas
ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)
autogard1700 uptime is 4 days, 23 hours, 54 minutes
System returned to ROM by reload at 08:14:43 UTC Thu Nov 5 2009
System restarted at 08:17:15 UTC Thu Nov 5 2009
System image file is "flash:c1700-k9o3sy7-mz.123-7.T1.bin"
snip
Cisco 1712 (MPC862P) processor (revision 0x101) with 85243K/13061K
bytes of memory.
MPC862P processor: part number 7, mask 0
1 Ethernet interface
5 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
As you suggest I think an upgrade is very much in order.
Mike
I suspected this might be needed, I assume this would be more economic
that getting a new router, but what is the downside to putting new
software on old kit?
Mike
Usually a new IOS version won't fit in an old router without a memory
upgrade.
I have had very strange problems with CEF as well, when combined with
dialers (unfortunately required for ADSL with PPPoA) and also with
policy routing.
Mike
Miraculously I seemed to have guessed the correct
feature set and so you can see above the memory
requirements.
Image Name c1700-k9o3sy7-mz.124-25b.bin
DRAM / Min Flash 96 / 32
Same as for 12.3T.
You have enough RAM and Flash.
Of course 12.4 mainline is basically the last development
of 12.3T but now with 25 and more rounds of bug
fixes:-) or :-(.
I can recall doing PBR to a loopback
to avoid NAT but we stopped years ago and
did it differently. I did not do much static NAT
and can't recall the details now. Not seen that for
years anyway.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
NAT - Ability to Use Route Maps with Static Translations
12.2(4)T This feature was introduced.
So it looks slike you could remove the PBR if you
preferred. It always seemed like a horrible kludge to
me anyway.
We had to use PBR because we had two ADSL interfaces to internet, each
with source address filtering. As you cannot randomly send traffic out
to the ADSL in this case, as happens when you set two default routes,
we used PBR with a loopback interface for all the outbound traffic.
(selecting the proper ADSL interface based on the source address of
the traffic)
This worked OK, but not with CEF.
Now the ADSL lines are retired and replaced by a single fiber, the
problem is gone and CEF is now enabled on the router.
IOS is 12.4(5a), has been updated several times but it never fixed the
issue.
Well, drops are bad if you need the packets routed. :) Do the drops
start as soon as CEF is enabled or after the problem occurs? Did you
try disabling CEF on the loopback interface (only)?
Dan Lanciani
ddl@danlan.*com
From my poking around ciscos site I thought I should be able to
upgrade too. thanks for the info/confirmation.
>
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatr...
> NAT - Ability to Use Route Maps with Static Translations
> 12.2(4)T This feature was introduced.
>
> So it looks slike you could remove the PBR if you
> preferred. It always seemed like a horrible kludge to
> me anyway.
I tried removing the PBR loopback but couldn't get route maps to work
with the static PAT's in the config.