Skip to main content

Cisco Router Running Nat - dropped Packets slow connection

More
16 years 6 months ago #25897 by thebrok2
Hello -

I am pretty new to the cisco world and having some issues with what I believe is related to dropped packets. I have set up a 2611 router with Nat. I have my Comcast connection (No PPPoe authenication needed) connected to ethernet port 0/1 with Nat outside set up. I have my internal network connected to port 0/0 (Ip nat inside). The Issue I am having is the internet is really slow. This is what my router config looks like.


r1-gw_2611#show run
Building configuration...

Current configuration : 1585 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname r1-gw_2611
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BZXo$.7iEtL51D6yTtWASJXFVF0
!
username cisco password 7 033D5A060707201D
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name internal.net
!
ip inspect hashtable-size 8192
ip inspect name firewall_inspect tcp
ip audit po max-events 100
ip ssh time-out 60
!
!
!
interface Ethernet0/0
description Interal Network (Nat Inside)
ip address 172.27.16.1 255.255.240.0
ip access-group OUTBOUND in
no ip unreachables
ip nat inside
full-duplex
!
interface Ethernet0/1
description External Gateway (Nat Outside)
ip address dhcp
ip nat outside
ip inspect firewall_inspect out
full-duplex
!
ip nat inside source list NAT-LIST interface Ethernet0/1 overload
ip nat inside source static tcp 172.27.16.17 80 interface Ethernet0/1 80
ip nat inside source static tcp 172.27.16.15 3389 interface Ethernet0/1 3389
ip nat inside source static tcp 172.27.16.17 922 interface Ethernet0/1 922
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
!
ip access-list extended NAT-LIST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 172.27.16.0 0.0.15.255 any
!
!
!
line con 0
password 7 032752180500
logging synchronous
line aux 0
line vty 0 4
password 7 00271A150754
logging synchronous
transport input ssh
!
!
end


I made sure I have my dns forwards pointed at my ISP's dns server. I am pretty convinced it not related to dns. I have about 5 pc's on the network so I don't think it is realted to the router working super hard. When I have done a show mem and show proc the numbers look very good. I thought I would dig into the issue in a little detail and run a packet capture. When i did I noticed it would route traffic fine for several packets and then a bunch of packets would have problems. Then things route fine and then start lossing packets again.

These are the bad packets i am see lots of:

51 31.106482 208.65.153.238 172.27.16.53 TCP [TCP Out-Of-Order] [TCP segment of a reassembled PDU]

262 42.555244 208.65.153.238 172.27.16.53 TCP [TCP Dup ACK 248#1] http > orasrv [ACK] Seq=5841 Ack=692 Win=8190 Len=0

55 31.122459 208.65.153.238 172.27.16.53 TCP [TCP Retransmission] [TCP segment of a reassembled PDU]


Note:
172.27.16.53 (The PC I am making the internet request)


I do not have any problems with internal traffic, just traffic going to the outside world. It see more of the bad packets when I navigate to a page that pulls a little more data like just going to the home page of myspace or youtube. I am not sure how to clean this up so I don't have so many packets like this. I am assuming the slowness is related to me having to retrasmit all the time. Any one have any idea what could be causing this. Am I missing a setting or something? Please point me in the right direction. Please..
More
16 years 6 months ago #25898 by thebrok2
One other thing my internal subnet is a /20 so 255.255.240.0
More
16 years 6 months ago #25900 by S0lo
A quick look into it, in the line:

[code:1]
ip access-group OUTBOUND in
[/code:1]

I don't see the OUTBOUND list defined any were!!, try removing it if you don't need it.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
16 years 6 months ago #25901 by sp1k3tou
I would also get rid of the denys in the access list below. All you need is the permit statement.

ip access-list extended NAT-LIST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 172.27.16.0 0.0.15.255 any

Also what does a show process cpu history look like on your router? And can you give a a show interface for both the e0/0 and e0/1.
More
16 years 6 months ago #25917 by thebrok2
OK this is what it looks like now. Now the problem I am having is that I can ping external sites on the router such as 72.14.207.99 but when I try and ping from my PC it hits the router and seems to drop. I have my gateway pointing at the router. when I do a traceroute from my PC using just the ip of external site (72.14.207.99)the last reply back is the router (172.27.16.1) how ever if i do a traceroute from the router it shows me the full path. Any ideas? I have to be missing something. I would like to set up a VPN soon and thats why i have the :

ip access-list extended NAT-LIST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 172.27.0.0 0.0.15.255 any
!



Current Router config



r1-gw_2611#show run
Building configuration...

Current configuration : 1555 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname r1-gw_2611
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BZXo$.7iEtL51D6yTtWASJXFVF0
!
username cisco password 7 033D5A060707201D
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name internal.net
!
ip inspect hashtable-size 8192
ip inspect name firewall_inspect tcp
ip audit po max-events 100
ip ssh time-out 60
!
!
!
!
interface Ethernet0/0
description Interal Network (Nat Inside)
ip address 172.27.16.1 255.255.240.0
no ip unreachables
ip nat inside
full-duplex
!
interface Ethernet0/1
description External Gateway (Nat Outside)
ip address dhcp
ip nat outside
ip inspect firewall_inspect out
full-duplex
!
ip nat inside source list NAT-LIST interface Ethernet0/1 overload
ip nat inside source static tcp 172.27.16.17 80 interface Ethernet0/1 80
ip nat inside source static tcp 172.27.16.15 3389 interface Ethernet0/1 3389
ip nat inside source static tcp 172.27.16.17 922 interface Ethernet0/1 922
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
!
ip access-list extended NAT-LIST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 172.27.0.0 0.0.15.255 any
!
!
!
!
!
!
line con 0
password 7 032752180500
logging synchronous
line aux 0
line vty 0 4
password 7 00271A150754
logging synchronous
transport input ssh
!
!
end
More
16 years 6 months ago #25918 by S0lo
First try removing those:

deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255

As sp1k3tou said, I don't see the need for them.

Second, If it still doesn't work, can you "show ip route" for us so we can have a better look.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.131 seconds