[c-nsp] help on NAT rate limiting
Ted Mittelstaedt
tedm at toybox.placo.com
Thu Dec 30 01:11:10 EST 2004
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch at netcogov.com]
> Sent: Wednesday, December 29, 2004 6:04 AM
> To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] help on NAT rate limiting
>
>
> Ted,
>
> Sorry, the per host limiting is a 12.3T feature that was
> discussed about a month ago:
> https://puck.nether.net/pipermail/cisco-nsp/2004-November/014524.html
> That's the one I was thinking about, and probably what you're looking
> for.
> Limiting each host to say 50 or 100 connections should probably
> suffice for most purposes.
I don't think this will work. What will happen is each host will
just use up it's 50 translation entries then none of the hosts
will be able to open new tcp connections until 24 hours have passed.
It is important to keep in mind that I'm not trying to contain a group of
hosts inside the network that are doing anything unusual.
I'm getting more convinced this is a bug. For some reason the
translator in IOS 12.3 is not removing translation entries for
some or most of the TCP connections after they are closed.
So far,
ip nat translation tcp-timeout 1200
seems to be working. But it is working of course by the hack-and-slash
method. Since the translator in IOS 12.3 seems to be busted, the tcp
timeout is chopping off the translation entries that the translator is
not properly tearing down.
This is suboptimal for anything like a Telnet session that is
idle for more than 20 minutes and doesen't use keepalives - as
Daniel Hagerty pointed out. Fortunately for this customer
they aren't doing that - as I pointed out to Daniel that is a
border condition that rarely happens.
Ted
More information about the cisco-nsp
mailing list