Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco NAT

Status
Not open for further replies.
homeskillet

homeskillet

IS-IT--Management
Jan 17, 2002
6
US
We have a Cisco 2611 (IOS v11.3(6)T) running nat for about 150 residents in an apartment building. We recently applied a few access control lists that prevent P2P applications, which works fine in blocking the traffic.

The problem is that it appears as though having a few people using Kazaa or Morpheus can get the router to back up and stop routing packets. Our current fix is to clear the IP NAT Translations every half-hour. We also have the dynamic NAT timeout set to 30 seconds, and the max translation set to 2000. We are still encountering routing problems.

The question is...is there any way to get the router to clear its translations manually, or keep it up under a heavy load?

I know that there may be more info that you need, and any ideas would be greatly appreciated.
 
Sort by date Sort by votes
I don't know anything about the applications that your mentioned. However, it isn't uncommon for problems to pop up shortly after implementing new routing policy (aka access lists), especially on lower end routers. Have you done anything like 'sh proc' since implementing the ACLs? Did you do any before? You may just be exceding the capability of your hardware. Look for high CPU utilization. The "official" Cisco limit on CPU utilization is no more than 75% in any five minute average.
 
Upvote 0 Downvote
Thanks for the response...and yes, we have been looking at sh proc...and we've only been getting about 5% max.

It's just weird...we've been reaching only about 4500 translations, but then people cannot get through. As soon as we go in and tell it to clear all translations and start over, people can get through better than they ever have.

Thanks again for the idea, and any others are appreciated.
 
Upvote 0 Downvote
I wonder if manipulating your NAT expirations would be of any help. Here are some default values that could be changed:

(no overloading)

simple entries: 24 hours

(using overloading)

UDP: 5 min
DNS: 1 min
TCP: 24 hours

You can use the command

router(config)#ip nat translation ?

You will then see all of the values that can be changed. Don't know if it will help you or not. But maybe translations are eating up too much memory?

Regards,

Scott
 
Upvote 0 Downvote
the best thing that you can do is go to cisco.com to find a solution..my second opinion is pls advice the user of kazaa and morpheus not to use it because it act as a proxy server that eat up ur bandwidth..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mouafy
  • Locked
  • Question
Cisco Physical Access Manager CPAM
Replies
0
Views
191
Mouafy
Mouafy
Finnsgranny
  • Locked
  • Question
Cisco VOIP system, Cisco cannot find the problem
Replies
3
Views
184
LoPath
LoPath
PSStat
  • Locked
  • Question
Assistance - CISCO Unity, no VM internal calls
Replies
0
Views
114
PSStat
PSStat
LPS-Defence
  • Locked
  • Question
Avaya IP Office Bad Voice quality with Xperia SIP Native client
Replies
1
Views
118
janni78
janni78
syss
  • Locked
  • Question
Cisco Smartnet
Replies
1
Views
114
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top