[c-nsp] help on NAT rate limiting

Ted Mittelstaedt tedm at toybox.placo.com
Tue Dec 28 13:02:06 EST 2004 

Hi All,

  We have a customer that's a small office about 20 people
behind a 1720.  The router is configured to overload on to
a single IP address, and has a vpn to another 1720 coming
in to it.

  They wanted another ethernet interface in this so we put a
wic-1enet card into the router - this required going to 12.3
ios to support the hardware and that is when all hell broke loose.

  previous to 12.3 the ios had no way to rate limit nat - 
normally the translation table would run about a couple hundred
entries.  Every once in a while they would get a virus and
the table would balloon - which would be simple to see by
showing the nat translation table, finding the offending inside
ip address, and removing the virus, the table would go back to
normal.  They were running 12.1 on that 1700 for a year at
least with no other problems.

  Now with 12.3 there is a way to rate limit nat - but the
people at Cisco that thought this was a good idea
quite obviously figured they would -raise- all the timeouts
in the translator.  So now, even without a virus, the router
will run on average of 20,000 translation entries sometimes.

  configuring rate limiting to wack off the table at 2-3 thousand
entries creates a situation where the router simply runs up
the translation table to the limit, then stops creating new
entries.

  We want to reset the timeouts in ios back to what they
were rather than trying to wack the table off at it's knees -
but there is no info I can find on the Cisco website as to
what the SENSIBLE timeouts were that were used in 12.1, 12.0,
etc.  And furthermore the ios commands that are available for
reducing the timeouts don't apply to overloads - which of course
is what everything on this router is.

  Going back to an old IOS is not possible because of the
ethernet wic.

  Whoever did this at Cisco obviously never heard of the
axiom "if it ain't broke don't fix it".  A nat rate-limiting
command is an impossibility - a virus will use all available
ram in the router for translation entries no matter how high
or how low the limit is set - and will just max out the translation
slots with the rate-limit set, and the router stops working,
so this command gains nothing.  And to put a command like this
in and use it as a license to raise the timeouts which is what
it seems they have done is absurd.

  No doubt Cisco was besiged with idiots trying to press wussy-assed
routers into service as translators for fortune 100 companies -
they should have told those morons to go pound sand and buy a pix
and left the translation code for the small routers alone, it was
working fine before.  Changing the translator operation in 12.3
has screwed it for everyone else I think.

  Please someone, tell me the documentation is wrong and that the
nat timeout commands do apply to overloads!

Ted

More information about the cisco-nsp mailing list