[c-nsp] help on NAT rate limiting

Church, Chuck cchurch at netcogov.com
Tue Dec 28 13:41:46 EST 2004 

Ted,

	I think the intention of NAT limiting is to limit each internal
host to 'x' number of translations, so that infected hosts can't create
thousands of entries and consume all the memory, etc.  I don't think
it's supposed to be a single threshold for all internal devices.
Haven't played with it, so I'm not totally sure.  Regarding the
timeouts, I've had good results with:
ip nat translation timeout 150
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 300
ip nat translation dns-timeout 15
ip nat translation icmp-timeout 10

	This is on a 1720, by the way.  Regarding the NAT timeout issue
and overloading, it should work.  What does 'sh ip nat tra ver' tell you
as far as the countdown timers are concerned?  The 1720 I've got running
12.2.11T11 (can't go later in 12.2T or 12.3 due to memory) shows:

tcp xxx.190.218.206:3560 192.168.0.57:3560 xx.130.50.205:80
xx.130.50.205:80
    create 00:00:19, use 00:00:19, left 00:04:40, Map-Id(In): 1,
    flags:
extended, timing-out, use_count: 0
tcp xxx.190.218.206:3562 192.168.0.57:3562 xx.130.50.205:80
xx.130.50.205:80
    create 00:00:19, use 00:00:06, left 00:04:53, Map-Id(In): 1,
    flags:
extended, timing-out, use_count: 0
tcp xxx.190.218.206:3564 192.168.0.57:3564 xx.130.50.205:80
xx.130.50.205:80
    create 00:00:19, use 00:00:18, left 00:04:41, Map-Id(In): 1,
    flags: 

Are you saying in 12.3 these timers are much longer?

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
Sent: Tuesday, December 28, 2004 1:02 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] help on NAT rate limiting

Hi All,

  We have a customer that's a small office about 20 people
behind a 1720.  The router is configured to overload on to
a single IP address, and has a vpn to another 1720 coming
in to it.

  They wanted another ethernet interface in this so we put a
wic-1enet card into the router - this required going to 12.3
ios to support the hardware and that is when all hell broke loose.

  previous to 12.3 the ios had no way to rate limit nat - 
normally the translation table would run about a couple hundred
entries.  Every once in a while they would get a virus and
the table would balloon - which would be simple to see by
showing the nat translation table, finding the offending inside
ip address, and removing the virus, the table would go back to
normal.  They were running 12.1 on that 1700 for a year at
least with no other problems.

  Now with 12.3 there is a way to rate limit nat - but the
people at Cisco that thought this was a good idea
quite obviously figured they would -raise- all the timeouts
in the translator.  So now, even without a virus, the router
will run on average of 20,000 translation entries sometimes.

  configuring rate limiting to wack off the table at 2-3 thousand
entries creates a situation where the router simply runs up
the translation table to the limit, then stops creating new
entries.

  We want to reset the timeouts in ios back to what they
were rather than trying to wack the table off at it's knees -
but there is no info I can find on the Cisco website as to
what the SENSIBLE timeouts were that were used in 12.1, 12.0,
etc.  And furthermore the ios commands that are available for
reducing the timeouts don't apply to overloads - which of course
is what everything on this router is.

  Going back to an old IOS is not possible because of the
ethernet wic.

  Whoever did this at Cisco obviously never heard of the
axiom "if it ain't broke don't fix it".  A nat rate-limiting
command is an impossibility - a virus will use all available
ram in the router for translation entries no matter how high
or how low the limit is set - and will just max out the translation
slots with the rate-limit set, and the router stops working,
so this command gains nothing.  And to put a command like this
in and use it as a license to raise the timeouts which is what
it seems they have done is absurd.

  No doubt Cisco was besiged with idiots trying to press wussy-assed
routers into service as translators for fortune 100 companies -
they should have told those morons to go pound sand and buy a pix
and left the translation code for the small routers alone, it was
working fine before.  Changing the translator operation in 12.3
has screwed it for everyone else I think.

  Please someone, tell me the documentation is wrong and that the
nat timeout commands do apply to overloads!

Ted
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list