[nsp] Question about per-host ip nat limits
Brian Buhrow
buhrow at lothlorien.nfbcal.org
Tue Dec 17 14:42:34 EST 2002
Hello folks. Afterl looking through the Cisco web site, as well
as looking at this list's archives, I find I have a question which I
thought someone might know the answer to on this list.
Here's the situation. We have a router serving a campus which uses
all natted addresses. The customers who use our service on this campus
are free to supply their own computers, so we end up with a heterogenus
collection of hardware and software. Sometimes, computers show up with
viruses which attempt to open a vast number of connections out through the
Internet router. This causes the router to assign so many nat tranlslation
entries that it either runs out of memory, or bumps up against the maximum
number of translations we've defined. Either way, all users eventually
find they cannot use the Internet because the router's translation slots
are all consumed by the rogue computer.
My question is this: is there a command to limit
the number of translations a given inside IP address can use before it is
denied anymore translation slots? I'd like to do this to prevent one host
from inadvertently mounting a denial of service attack by running the
router out of translation memory. In case it matters, we're running this
campus through a Cisco 2621 router with IOS version 12.2(7a).
Any thoughts on how to prevent this sort of denial of service
attack would be greatly appreciated.
-thanks
-Brian
More information about the cisco-nsp
mailing list