Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Slow NAT 1760V router

Status
Not open for further replies.
hunterdw

hunterdw

Technical User
Joined
Oct 25, 2002
Messages
345
Location
US
Howdy.

I have a Cisco 1760V router on one end of an IPSec tunnel. A Pix 515E is on the other end.

When I setup NAT, all the traffic that is NOT private network traffic on either end of the tunnel is very constipated. It ate a LOT of cheese.

So...Private traffic is fast. Internet traffic is slow. Not just http, but commandline ftp "get" and "put" is slow too.

But, it's only DOWNSTREAM that is slow. Upstream is very fast.... well, normal fast.

Cox Cable 4meg down/512K up connection in Tulsa, OK.

Config below. Any thoughts? I've turned off logging just incase, but when I do a "show proc cpu" everything is normal. No spikes. All below 2 or 3%.

--DW

-----Config here-----
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.01.17 16:24:18 =~=~=~=~=~=~=~=~=~=~=~=
Building configuration...

Current configuration : 7028 bytes
!
version 12.2
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname TUL-1760
!
no logging on
enable secret 5 xxx
enable password 7 xxx
!
ip subnet-zero
!
!
ip tcp synwait-time 5
no ip domain lookup
no ip dhcp conflict logging
!
ip cef
ip audit notify log
ip audit po max-events 100
!
!
voice call send-alert
voice call carrier capacity active
voice rtp send-recv
!
voice service voip
h323
call start slow
!
voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g729br8
codec preference 3 g729r8
!
!
!
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
crypto isakmp policy 21
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 70.x.x.35
!
!
crypto ipsec transform-set red esp-3des esp-sha-hmac
crypto ipsec transform-set blue esp-3des esp-md5-hmac
!
crypto map LifeChurch 20 ipsec-isakmp
set peer 70.xx.xx.35
set transform-set blue
match address 122
!
!
!
!
!
interface Ethernet0/0
ip address 68.xx.xx.7 255.255.255.0
ip nat outside
no ip mroute-cache
full-duplex
no cdp enable
crypto map LifeChurch
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip directed-broadcast
ip nat inside
no ip mroute-cache
speed auto
full-duplex
h323-gateway voip bind srcaddr 192.168.3.1
!
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.xx.xx.1
ip route 10.0.0.0 255.0.0.0 70.xx.xx.35
ip route 172.16.10.0 255.255.255.0 70.xx.xx.35
ip route 172.16.11.0 255.255.255.0 70.xx.xx.35
ip route 172.16.21.0 255.255.255.0 70.xx.xx.35
ip route 172.16.22.0 255.255.255.0 70.xx.xx.35
ip route 192.168.1.0 255.255.255.0 70.xx.xx.35
ip route 192.168.2.0 255.255.255.0 70.xx.xx.35
ip route 192.168.4.0 255.255.255.0 70.xx.xx.35
ip route 192.168.5.0 255.255.255.0 70.xx.xx.35
ip route 192.168.6.0 255.255.255.0 70.xx.xx.35
ip route 192.168.254.0 255.255.255.0 70.xx.xx.35
no ip http server
no ip http secure-server
!
!
!
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.168.203.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 172.16.11.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 172.16.22.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 120 deny ip 192.168.3.0 0.0.0.255 172.16.203.0 0.0.0.255
access-list 120 deny ip 172.16.203.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 172.16.203.0 0.0.0.255 any
access-list 120 permit ip 192.168.3.0 0.0.0.255 any
access-list 120 permit ip any 192.168.3.0 0.0.0.255
access-list 120 permit ip any 172.16.203.0 0.0.0.255
access-list 121 permit ip 172.16.203.0 0.0.0.255 any
access-list 121 permit ip 19.168.3.0 0.0.0.255 any
access-list 121 permit ip any 172.16.203.0 0.0.0.255
access-list 121 permit ip any 192.168.3.0 0.0.0.255
access-list 121 permit ip 192.168.3.0 0.0.0.255 any
access-list 122 permit ip 192.168.3.0 0.0.0.255 any
access-list 130 deny ip 192.168.3.0 0.0.0.255 any
access-list 130 deny ip 172.16.203.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 102
!
snmp-server community LifeTulsaDotTv RO
snmp-server community public RO
snmp-server enable traps tty
call rsvp-sync
!
voice-port 1/0
echo-cancel coverage 32
no comfort-noise
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 1/1
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 2/0
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 2/1
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar 3100
station-id name Outside Call
caller-id enable
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
dial-peer voice 1 pots
incoming called-number .
port 1/0
!
dial-peer voice 2 pots
incoming called-number .
port 1/1
!
dial-peer voice 3 pots
incoming called-number .
port 2/0
!
dial-peer voice 4 pots
incoming called-number .
port 2/1
!
dial-peer voice 91 pots
preference 8
incoming called-number .
destination-pattern 9T
port 1/0
!
dial-peer voice 92 pots
preference 7
incoming called-number .
destination-pattern 9T
port 1/1
!
dial-peer voice 93 pots
preference 6
incoming called-number .
destination-pattern 9T
port 2/0
!
dial-peer voice 1000 voip
incoming called-number .
destination-pattern 3...
progress_ind setup enable 3
voice-class codec 99
session target ipv4:172.16.10.10
dtmf-relay cisco-rtp h245-signal h245-alphanumeric
no vad
!
dial-peer voice 9111 pots
preference 8
destination-pattern 911
no digit-strip
port 1/0
!
dial-peer voice 9112 pots
preference 7
destination-pattern 911
no digit-strip
port 1/1
!
dial-peer voice 9113 pots
preference 6
destination-pattern 911
no digit-strip
port 2/0
!
dial-peer voice 9114 pots
preference 5
destination-pattern 911
no digit-strip
port 2/1
!
dial-peer voice 9911 pots
preference 8
destination-pattern 9911
port 1/0
prefix 911
!
dial-peer voice 9912 pots
preference 7
destination-pattern 9911
port 1/1
prefix 911
!
dial-peer voice 9913 pots
preference 6
destination-pattern 9911
port 2/0
prefix 911
!
dial-peer voice 9914 pots
preference 5
destination-pattern 9911
port 2/1
prefix 911
!
dial-peer voice 94 pots
preference 5
incoming called-number .
destination-pattern 9T
port 2/1
!
dial-peer voice 7000 voip
incoming called-number .
destination-pattern 7...
progress_ind setup enable 3
progress_ind progress enable 8
voice-class codec 99
session target ipv4:172.16.10.10
dtmf-relay cisco-rtp h245-signal h245-alphanumeric
no vad
!
!
call-manager-fallback
ip source-address 192.168.3.1 port 2000
max-ephones 24
max-dn 96
default-destination 3100
!
!
line con 0
password 7 xx
login
terminal-type mon
line aux 0
line vty 0 4
password 7 xx
login
!
no scheduler allocate
end
 
Sort by date Sort by votes
Problem resolved.

I cleaned up the config.

The broadband connection on eth0 needs to have half-duplex. Their techicians told me 15 times that it was full-duplex. Finally, out of frustration, I set it to half-duplex and all was well. Morons. Both of us, I should have tried that first.

--DW

-----NEW CONFIG-----
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.01.18 10:42:16 =~=~=~=~=~=~=~=~=~=~=~=
version 12.2
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname TUL-1760
!
no logging on
enable secret 5 xxxxx
enable password 7 xxxxx
!
ip subnet-zero
!
ip tcp synwait-time 5
no ip domain lookup
no ip dhcp conflict logging
!
ip cef
ip audit notify log
ip audit po max-events 100
!
voice call send-alert
voice call carrier capacity active
voice rtp send-recv
!
voice service voip
h323
call start slow
!
voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g729br8
codec preference 3 g729r8
!
voice class h323 1
h225 timeout tcp establish 3
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
crypto isakmp policy 21
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 70.xx.xx.35
!
crypto ipsec transform-set red esp-3des esp-sha-hmac
crypto ipsec transform-set blue esp-3des esp-md5-hmac
!
crypto map LifeChurch 20 ipsec-isakmp
set peer 70.xx.xx.35
set transform-set blue
match address 122
!
interface Ethernet0/0
ip address 68.xx.xx.7 255.255.255.0
ip nat outside
half-duplex
no cdp enable
crypto map LifeChurch
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
speed auto
full-duplex
h323-gateway voip bind srcaddr 192.168.3.1
!
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.xx.xx.1
no ip http server
no ip http secure-server
!
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 122 permit ip 192.168.3.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 102
!
snmp-server community public RO
snmp-server enable traps tty
call rsvp-sync
!
voice-port 1/0
echo-cancel coverage 32
no comfort-noise
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 1/1
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 2/0
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar opx 3100
station-id name Outside Call
caller-id enable
!
voice-port 2/1
echo-cancel coverage 24
no comfort-noise
timeouts interdigit 2
connection plar 3100
station-id name Outside Call
caller-id enable
!
mgcp profile default
!
dial-peer cor custom
!
dial-peer voice 1 pots
incoming called-number .
port 1/0
!
dial-peer voice 2 pots
incoming called-number .
port 1/1
!
dial-peer voice 3 pots
incoming called-number .
port 2/0
!
dial-peer voice 4 pots
incoming called-number .
port 2/1
!
dial-peer voice 91 pots
preference 8
incoming called-number .
destination-pattern 9T
port 1/0
!
dial-peer voice 92 pots
preference 7
incoming called-number .
destination-pattern 9T
port 1/1
!
dial-peer voice 93 pots
preference 6
incoming called-number .
destination-pattern 9T
port 2/0
!
dial-peer voice 1000 voip
incoming called-number .
destination-pattern 3...
progress_ind setup enable 3
voice-class codec 99
session target ipv4:172.16.10.10
dtmf-relay cisco-rtp h245-signal h245-alphanumeric
no vad
!
dial-peer voice 9111 pots
preference 8
destination-pattern 911
no digit-strip
port 1/0
!
dial-peer voice 9112 pots
preference 7
destination-pattern 911
no digit-strip
port 1/1
!
dial-peer voice 9113 pots
preference 6
destination-pattern 911
no digit-strip
port 2/0
!
dial-peer voice 9114 pots
preference 5
destination-pattern 911
no digit-strip
port 2/1
!
dial-peer voice 9911 pots
preference 8
destination-pattern 9911
port 1/0
prefix 911
!
dial-peer voice 9912 pots
preference 7
destination-pattern 9911
port 1/1
prefix 911
!
dial-peer voice 9913 pots
preference 6
destination-pattern 9911
port 2/0
prefix 911
!
dial-peer voice 9914 pots
preference 5
destination-pattern 9911
port 2/1
prefix 911
!
dial-peer voice 94 pots
preference 5
incoming called-number .
destination-pattern 9T
port 2/1
!
dial-peer voice 7000 voip
incoming called-number .
destination-pattern 7...
progress_ind setup enable 3
progress_ind progress enable 8
voice-class codec 99
session target ipv4:172.16.10.10
dtmf-relay cisco-rtp h245-signal h245-alphanumeric
no vad
!
call-manager-fallback
ip source-address 192.168.3.1 port 2000
max-ephones 24
max-dn 96
default-destination 3100
!
line con 0
password 7 xxxxx
login
terminal-type mon
line aux 0
line vty 0 4
password 7 xxxxx
login
!
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
320
Blackybear
Blackybear
Tariq Habaybeh
  • Locked
  • Question Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
379
burtsbees
burtsbees
Punk6296
  • Locked
  • Question Question
slow WAN download speeds over UC540
Replies
0
Views
315
Punk6296
Punk6296
Zia khan
  • Locked
  • Question Question
Cisco: 2811 Router
Replies
1
Views
347
CASSBusinessSystems
CASSBusinessSystems
kjhg
  • Locked
  • Question Question
2811 ROUTER
Replies
3
Views
457
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top