On 06/03/2012 14:14, Nikolay Shopik wrote: > As soon IOS NAT sees close/fin or fin/ack bits, it set session to 5 minutes > to expire. So only not proper closed session become there for 24 hours iirc. that would make a nice nat slot DoS vector. Sounds like on a public facing device you would want to tune this down to something quite small. Nick