3640 some sites slow....

Hi

Ive got a 3640 that is running as a router on a stick with a 2924.
The 3640 routes traffic for 5 vlans.

My ISP is Verizon FIOS, 15Mb\2Mb. So my ISP's network link is fairly
fast. In general everything works however , some sites are just
horribly slow.... like ebay & a few php forum sites ... At my
work the sites are flying fast . I'm wondering if something on the
3640 is not optimal....

Please take a look at my config and point out any issues you may see.

The router has lots going on. IPNAT, QoS for Vonage, IPSEC
tunnel...

HNet-3640#
HNet-3640#sh runn
Building configuration...

Current configuration : 15002 bytes
!
! Last configuration change at 19:36:33 edt Wed May 2 2007 by me
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service linenumber
!
hostname HNet-3640
!
boot-start-marker
boot-end-marker
!
logging buffered 40960 notifications
no logging console
enable secret 5
!
aaa new-model
!
!
aaa authentication banner ^CCC

******************************************
** Unauthorized access prohibited **
** Exit NOW if unauthorized, **
** these systems are monitored **
******************************************

^C
aaa authentication fail-message ^CCC

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! FAILED LOGINS ARE LOGGED AND RECORDED !!!
!!! ALERTS WILL BE GOING OFF SOON !!!
!!! NOW WOULD BE THE TIME TO DISCONNECT IF !!!
!!! YOUR NEXT LOGIN ISNT GONNA BE SUCCESSFUL !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
^C
aaa authentication password-prompt "Enter Your Password : "
aaa authentication username-prompt "Enter Your Username : "
aaa authentication login VTYAccess group radius local-case
aaa authentication ppp default local
aaa authorization exec VTYAccess group radius if-authenticated
!
aaa session-id common
clock timezone est -5
clock summer-time edt recurring
no ip source-route
!
!
ip cef
no ip domain lookup
ip name-server 192.168.10.19
!
!
no ip bootp server
ip inspect audit-trail
ip inspect max-incomplete high 750
ip inspect max-incomplete low 750
ip inspect dns-timeout 7
ip inspect name CBAC2 tcp timeout 3600
ip inspect name CBAC2 ftp timeout 3600
ip inspect name CBAC2 rcmd timeout 3600
ip inspect name CBAC2 sqlnet timeout 3600
ip inspect name CBAC2 tftp timeout 30
ip inspect name CBAC2 http
ip inspect name CBAC2 udp
!
!
!
key chain dummy
key 1
key chain crypto
key 1
!
!
class-map match-all voice-traffic
match ip rtp 10000 10000
!
!
policy-map voice-policy
class voice-traffic
priority 200
class class-default
fair-queue
policy-map shaper
class class-default
shape average 2000000 200000 0
service-policy voice-policy
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key mykey address vpn.server.ip.address
!
!
crypto ipsec transform-set to-asi esp-aes 256 esp-sha-hmac
!
crypto map vpn-endpoint 10 ipsec-isakmp
set peer vpn.server.ip.address
set transform-set to-asi
match address 191
!
!
!
!
interface FastEthernet0/0
description Link to FIOS Internet
mac-address 0050.5474.231f
bandwidth 15000
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description Link to Inside Network Homenet-2924 f0/2
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1
description Native VLAN
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
!
interface FastEthernet0/1.4
description VLAN for Wireless SSID:free-internet
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.254.0
ip access-group free-internet in
ip helper-address 192.168.10.21
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface FastEthernet0/1.10
description VLAN for Wired Network
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface FastEthernet0/1.11
description VLAN for Wireless SSID:zilla
encapsulation dot1Q 11
ip address 192.168.11.209 255.255.255.240
ip helper-address 192.168.10.21
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface FastEthernet0/1.12
description VLAN for Wireless SSID:chump
encapsulation dot1Q 12
ip address 192.168.11.193 255.255.255.240
ip helper-address 192.168.10.21
ip tcp adjust-mss 1452
!
interface FastEthernet0/1.13
description VLAN for Wireless SSID:otherboxes
encapsulation dot1Q 13
ip address 192.168.11.177 255.255.255.240
ip helper-address 192.168.10.21
ip tcp adjust-mss 1452
!
interface FastEthernet0/1.98
encapsulation dot1Q 98
ip address 192.168.98.1 255.255.255.0
!
interface FastEthernet0/1.111
encapsulation dot1Q 111
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet3/0
no ip address
shutdown
half-duplex
!
interface Serial3/0
no ip address
shutdown
!
interface Serial3/1
no ip address
shutdown
!
interface Virtual-Template1
no ip address
service-policy output shaper
!
interface Dialer1
bandwidth 15000
ip address negotiated
ip access-group acl_out in
ip accounting access-violations
ip mtu 1492
ip nat outside
ip inspect CBAC2 in
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username fios-username password 0 fios-password
crypto map vpn-endpoint
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
router bgp 12345
no synchronization
bgp log-neighbor-changes
neighbor 192.168.10.19 remote-as 64512
neighbor 192.168.10.19 filter-list 56 in
no auto-summary
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip as-path access-list 50 permit ^5650_[0-9]_[0-9]*$
ip as-path access-list 50 permit ^1_[0-9]_[0-9]*$
ip as-path access-list 50 permit ^1668_[0-9]_[0-9]*$
ip as-path access-list 55 permit ^5650_[0-9]+_[0-9]*$
ip as-path access-list 56 permit ^5650_[0-9]*$
ip nat translation timeout never
ip nat inside source static udp 192.168.10.24 21000 interface Dialer1
21000
ip nat inside source static tcp 192.168.10.24 21000 interface Dialer1
21000
ip nat inside source static tcp 192.168.10.35 3389 interface Dialer1
3389
ip nat inside source static tcp 192.168.10.24 6861 interface Dialer1
6861
ip nat inside source static tcp 192.168.11.212 6889 interface Dialer1
6889
ip nat inside source static tcp 192.168.11.212 6888 interface Dialer1
6888
ip nat inside source static tcp 192.168.11.212 6887 interface Dialer1
6887
ip nat inside source static tcp 192.168.11.212 6886 interface Dialer1
6886
ip nat inside source static tcp 192.168.11.212 6885 interface Dialer1
6885
ip nat inside source static tcp 192.168.11.212 6884 interface Dialer1
6884
ip nat inside source static tcp 192.168.11.212 6883 interface Dialer1
6883
ip nat inside source static tcp 192.168.11.212 6882 interface Dialer1
6882
ip nat inside source static tcp 192.168.11.212 6881 interface Dialer1
6881
ip nat inside source static tcp 192.168.10.21 6898 interface Dialer1
6898
ip nat inside source static tcp 192.168.10.21 6897 interface Dialer1
6897
ip nat inside source static tcp 192.168.10.21 6896 interface Dialer1
6896
ip nat inside source static tcp 192.168.10.21 6895 interface Dialer1
6895
ip nat inside source static tcp 192.168.10.21 6894 interface Dialer1
6894
ip nat inside source static tcp 192.168.10.21 6893 interface Dialer1
6893
ip nat inside source static tcp 192.168.10.21 6892 interface Dialer1
6892
ip nat inside source static tcp 192.168.10.21 6891 interface Dialer1
6891
ip nat inside source static tcp 192.168.10.21 5001 interface Dialer1
5001
ip nat inside source static tcp 192.168.10.30 99 interface Dialer1 99
ip nat inside source static tcp 192.168.10.35 2222 interface Dialer1
2222
ip nat inside source static tcp 192.168.10.35 8192 interface Dialer1
8192
ip nat inside source static tcp 192.168.10.35 8190 interface Dialer1
8190
ip nat inside source route-map nat-map interface Dialer1 overload
!
!
ip access-list extended acl_out
deny ip host 0.0.0.0 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
permit ip 172.25.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.8.0 0.0.7.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
permit tcp any eq ftp-data any
permit tcp any any eq 22
permit tcp any any eq 2222
permit tcp any any eq 4662
permit tcp any any eq 4672
permit tcp any any eq 4711
permit tcp any any eq 5001
permit udp any any eq 5001
permit tcp any any eq 6891
permit tcp any any eq 6892
permit tcp any any eq 6893
permit tcp any any eq 6894
permit tcp any any eq 6895
permit tcp any any eq 6896
permit tcp any any eq 6897
permit tcp any any eq 6898
permit tcp any any eq 6881
permit tcp any any eq 6882
permit tcp any any eq 6883
permit tcp any any eq 6884
permit tcp any any eq 6885
permit tcp any any eq 6886
permit tcp any any eq 6887
permit tcp any any eq 6888
permit tcp any any eq 6889
permit tcp any any eq 6861
permit tcp any any eq 8190
permit tcp any any eq 8192
permit tcp any any eq 3389
permit tcp any any eq 21000
permit udp any any eq 21000
permit udp host vpn.server.ip.address any eq isakmp
permit udp host vpn.server.ip.address any eq isakmp
permit udp host vpn.server.ip.address any eq isakmp
permit udp host vpn.server.ip.address any eq non500-isakmp
permit udp host vpn.server.ip.address any eq non500-isakmp
permit udp host vpn.server.ip.address any eq non500-isakmp
permit esp host vpn.server.ip.address any
permit esp host vpn.server.ip.address any
permit esp host vpn.server.ip.address any
permit ip vpn.server.ip.address 0.0.0.3 any log
permit tcp vpn.server.ip.address 0.0.3.255 any
permit tcp any any established
permit udp any eq domain any
permit udp any any eq ntp
permit udp any any eq bootpc
permit udp any any log
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any host-unknown
permit icmp any any time-exceeded
deny ip any any log
ip access-list extended crap
permit ip 19.0.84.176 0.0.0.3 any
ip access-list extended free-internet
permit tcp host 192.168.5.57 any log
permit udp host 192.168.5.57 any log
permit icmp host 192.168.5.57 any log
permit tcp host 192.168.4.25 host 192.168.4.1 eq telnet
permit udp any any eq bootps
permit udp any any eq bootpc
deny udp 192.168.4.0 0.0.1.255 any eq snmp
deny udp any any eq snmp
deny ip 192.168.4.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 192.168.4.0 0.0.1.255 172.25.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 192.168.4.0 0.0.1.255 192.168.8.0 0.0.7.255
deny ip 192.168.4.0 0.0.1.255 192.168.0.0 0.0.255.255
deny ip 169.254.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.25.0.0 0.0.255.255 any
deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq telnet
deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq 22
permit udp 192.168.4.0 0.0.1.255 any eq domain
permit tcp 192.168.4.0 0.0.1.255 any eq www
permit tcp 192.168.4.0 0.0.1.255 any eq 8080
permit udp 192.168.4.0 0.0.1.255 any eq ntp
permit tcp 192.168.4.0 0.0.1.255 any eq ftp
permit tcp 192.168.4.0 0.0.1.255 any eq smtp
permit tcp 192.168.4.0 0.0.1.255 any eq domain
permit tcp 192.168.4.0 0.0.1.255 any eq pop3
permit tcp 192.168.4.0 0.0.1.255 any eq 443
permit icmp 192.168.4.0 0.0.1.255 any echo
permit icmp 192.168.4.0 0.0.1.255 any echo-reply
permit icmp 192.168.4.0 0.0.1.255 any port-unreachable
deny tcp 192.168.4.0 0.0.1.255 any log
deny udp 192.168.4.0 0.0.1.255 any log
deny ip any any log
deny ospf any any log
logging trap debugging
logging source-interface FastEthernet0/1.1
logging 192.168.10.35
access-list 1 permit 192.168.8.0 0.0.7.255
access-list 11 permit 192.168.10.35
access-list 11 permit 192.168.10.19
access-list 11 permit 192.168.11.215
access-list 11 deny any
access-list 21 permit 199.0.184.0 0.0.3.255
access-list 21 permit 192.168.10.0 0.0.0.255
access-list 21 permit 192.168.11.208 0.0.0.15
access-list 21 deny any
access-list 111 remark APPLIED TO ROUTE-MAP NAT-MAP
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
access-list 111 permit ip 192.168.11.208 0.0.0.15 any
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 112 remark PLACE HOLDER
access-list 113 remark APPLIED TO ROUTE-MAP NAT-MAP
access-list 113 deny ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255
access-list 113 permit ip 192.168.4.0 0.0.1.255 any
access-list 113 permit ip 192.168.8.0 0.0.7.255 any
access-list 113 permit ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip any any log
access-list 114 remark PLACE HOLDER
access-list 115 remark APPLIED TO ROUTE-MAP NAT-MAP
access-list 120 remark PLACE HOLDER
access-list 130 permit tcp any any range 6800 6900
access-list 131 permit tcp any range 6800 6900 any
access-list 177 permit icmp any any
access-list 177 permit tcp any any eq www
access-list 177 permit tcp any eq www any
access-list 178 permit icmp any any
access-list 178 permit tcp 192.168.11.0 0.0.0.255 any
access-list 178 permit tcp any 192.168.11.0 0.0.0.255
access-list 190 permit ip 192.168.10.0 0.0.0.255 172.25.0.0
0.0.255.255
access-list 190 permit ip 192.168.11.0 0.0.0.255 172.25.0.0
0.0.255.255
access-list 190 deny ip 192.168.4.0 0.0.0.255 172.25.0.0 0.0.255.255
access-list 190 deny ip any any
access-list 190 remark USED FOR VPN MAP
access-list 191 remark APPLIED TO CRYPTO-MAP
access-list 191 permit ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255
access-list 191 permit ip 192.168.8.0 0.0.7.255 10.1.0.0 0.0.255.255
access-list 191 permit ip 192.168.8.0 0.0.7.255 10.2.0.0 0.0.255.255
access-list 191 permit ip 192.168.8.0 0.0.7.255 10.25.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community
snmp-server community
snmp-server contact
snmp-server chassis-id
snmp-server system-shutdown
snmp-server enable traps tty
!
route-map nat-map permit 10
description ATTACHED TO `IP NAT INSIDE`
match ip address 113
!
!
radius-server host 192.168.10.21 auth-port 1645 acct-port 1646
radius-server key removed
!
control-plane
!
!
!
!
alias exec ct conf t
alias exec wm copy running-config startup-config
alias exec tr trace
alias exec sr sho runn
alias exec ssa sh crypto isakmp sa
alias exec nda no debug all
alias exec si sho ip route
alias exec sbgp sh ip bgp
alias exec sibs sh ip bgp summ
alias exec cc1 clear crypto isakmp
alias exec cc2 clear crypto ipsec client ezvpn
alias exec cc3 clear crypto sa
alias exec ssad sh crypto isakmp sa detail
alias exec sntr sh ip nat tr
alias exec spi sh policy-map interface
!
line con 0
exec-timeout 240 0
line aux 0
line vty 0 4
access-class 21 in
exec-timeout 480 0
authorization exec VTYAccess
login authentication VTYAccess
line vty 5 15
access-class 21 in
exec-timeout 480 0
authorization exec VTYAccess
login authentication VTYAccess
!
scheduler allocate 4000 1000
ntp clock-period 17179823
ntp server 81.187.242.38
!
end

HNet-3640#

.

Relevant Pages

  • Re: 3640 some sites slow....
    ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
    (comp.dcom.sys.cisco)
  • need help with configuration
    ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
    (comp.security.firewalls)
  • need help with opening port
    ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
    (microsoft.public.win32.programmer.tapi)
  • Probleem with port forwarding
    ... ip nat inside source static tcp 10.0.0.56 7 interface Dialer1 ... access-list 23 permit 82.66.199.22 ... access-list 112 permit tcp any any eq ...
    (comp.security.firewalls)
  • Re: 3640 some sites slow....
    ... for the Internet connection that's doing NAT and VPN) A 2821 should work ... ip nat inside source static udp 192.168.10.24 21000 interface Dialer1 ... permit ip 172.25.0.0 0.0.255.255 any ... permit tcp any eq ftp-data any ...
    (comp.dcom.sys.cisco)