Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Cisco IOS : Adjusting NAT Timers

Adjusting NAT Timers

Jul 21,2008 by admin

small font medium font large font
image

Adjusting NAT Timers

Problem

You want to change the length of time that NAT entries remain active.

Solution

The router will keep NAT entries in the translation table for a configurable length of time. For TCP connections, the default timeout period is 86,400 seconds, or 24 hours. Because UDP is not connection based, the default timeout period is much shorteronly 300 seconds, or 5 minutes. The router will remove translation table entries for DNS queries after only 60 seconds.

You can adjust these parameters using the ip nat translation command, which accepts arguments in seconds:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat translation tcp-timeout 500
Router(config)#ip nat translation udp-timeout 30
Router(config)#ip nat translation dns-timeout 30
Router(config)#ip nat translation icmp-timeout 30
Router(config)#ip nat translation finrst-timeout 30
Router(config)#ip nat translation syn-timeout 30
Router(config)#end
Router#

To save router memory, you can also define a maximum number of NAT translation table entries:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat translation max-entries 1000
Router(config)#end
Router#

Discussion

There are many reasons for adjusting these various timeout parameters; most are related to router performance. If sessions are generally short-lived, it is a waste of memory to maintain the NAT entries for a long time. The finrst-timeout and syn-timeout parameters are also useful when the router is connected to the public Internet because they can help to prevent denial of service attacks that are based on sending TCP control packet such as SYN, ACK, and FIN. If the router only keeps the NAT entries associated with these packets for a brief period of time, you can help to limit the impact of such attacks.

We recommend using extreme caution with the max-entries command:

Router(config)#ip nat translation max-entries 1000

When you set a limit like this, the router rejects any additional attempts to use NAT. So, in this example, if you already had 1,000 NAT table entries, the router would simply drop any new connection attempts. This can be useful to prevent excessive NAT processing from overloading the router, but it can also block legitimate access.

It is difficult to select a useful upper limit to the size of the NAT table in general. In most cases, it is best to use the default, which does not enforce any upper limit. You should use this command only if you start to run into serious memory or CPU utilization problems. Because it tells the router to refuse any further requests, however, restricting the table size like this should be a last resort. In most cases, it is more effective to decrease the various timeout values as shown in this recipe.

Start by looking at your NAT translation table, as shown in Recipe 21.12, and see what most of the entries look like. If you are using the overload option, you may find that there are several different entries for each internal host, each for different port numbers or protocols. The relatively long 24-hour timeout period for TCP sessions is probably the best place to start. You can usually reduce this drastically without causing application problems, and it could give a significant improvement to the size of the NAT table.

See Also


432 times read

Related news
» Changing the PAT Default Inactivity Timeout Timers
by alperen posted on Sep 09,2009
» Clearing the NAT Translation Table
by alperen posted on Sep 09,2009
» Setting SNMP Timeout Values
by admin posted on Jul 21,2008
» Managing the Router's ARP Cache
by admin posted on Jul 21,2008
» Configuring Ethernet Interface Features
by admin posted on Jul 21,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.