Cleaning the dynamic NAT table? 1

[IllegalOperation]

I have a network right now with about 100 residential users. Unfortunately, I was only able to obtain a /28 block of public IPs....so I implemented NAT on my core router (7206VXR) to accomodate everyone.

The problem is - my customers have been killing this router's NAT table. Last night one customer alone had over 60,000 NAT entries, which brought the CPU up to 70% (normally its around 2%). I cleared out the NAT table, but this customer filled it up all over again in a matter of hours. It didnt really look like a virus, because there were no patterns with the outside port numbers - and the data was coming in abnormally fast. All I know is that I temporarily shut him off last night, and I am still trying to research what exactly he was doing.

Anyways, the point of this post was to ask if there are any ways of automatically preventing this from happening in the future. Is there something with the IOS that will allow me to automatically purge the entry table, perhaps once a day? What would be perfect is if theres a way that the router automatically cleans its table after it reaches a certain "threshold".

Anyone have any suggestions, other than using Public IPs? I DO have access lists that block ports that have been known to cause havoc with a dynamic NAT table. Quite frankly, those access lists are growing by the day. Let me know if anyone needs additional information. Thanks...

 

[gconnect]

sorry to say that i do not have much to say about the nat entries except for possibly using a timeout option:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

ip nat translation timeout <seconds>
ip nat translation udp-timeout <seconds>
ip nat translation dns-timeout <seconds>
ip nat translation tcp-timeout <seconds>
ip nat translation finrst-timeout <seconds>


here is something else i just ran across 'Rate Limiting NAT Translations'

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html

'ip nat translation max-entries host X.X.X.X 300'

also the NAT translations will take a toll on your router's memory as each translation slot uses a byte block of memory. you could consider maxing out the memory capacity (if monetarily possible)

-gC-

 

[IllegalOperation]

Greatly appreciated gconnect. That information was very helpful...

 

[bierhunter]

What ports did the NAT table say that customer was using? If he was filling it up that quick, I highly suspect a virus probably using his machine for DoS attacks. Or him doing it on purpose. 60,000 entries for one machine isn't very common.

BierHunter
CNE, MCSE, CCNP

 

[gconnect]

illegalOperation,
glad to help out.

It didnt really look like a virus, because there were no patterns with the outside port numbers - and the data was coming in abnormally fast. All I know is that I temporarily shut him off last night, and I am still trying to research what exactly he was doing

bierhunter stated that it could potentially be a virus which is possible but i have also seen that behavior in some whacky peer to peer file sharing programs. think about it.........that possibly could occur if he is sharing movies and/or music for folks to download (or vice versa). Just my 2cent theory (hope i don't send you off to "chase ghosts" though). i'd check out the port #'s. hope this helps.

-gC-