If it is a PIX ?

You have three choices to stop virus infected hosts:

1.) You limit Configuring Maximum Connections and Embryonic Connection Limits to Protect Against Initiating DoS Attacks:

Usage: [no] nat [()] { []} | {access-list } [dns] [norandomseq] [outside] [ []]

max_conns = The maximum connections permitted to hosts accessed from local_ip. The default = 0 (unlimited).

em_limit = The maximum embryonic connection permitted to hosts accessed from local_ip. The default = 0 (unlimited).

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 5000 5000

pixfirewall(config)# nat (dmz) 1 0.0.0.0 0.0.0.0 500 500

Do a "show nat" to see which NAT number is assignet to your global with the same number.

example:

pix(config)# sh nat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

See: http://www.ciscopress.com/articles/article.asp?p=24685&seqNum=4

This needs a "clear xlate" that resets after changing the nat options.

This should be done usully outside the business hours.

2.) Other option could be, add an inside access-list and block the unnneded protocol, ports or hosts !

Identify the hosts and try add a temporary access-list to the inside interface.

example:

access-list inside deny ip host 192.168.1.200 any

access-list inside deny ip host 192.168.1.33 any

access-list inside permit ip any any

access-group inside in interface inside

or limit a hosts protocol

access-list inside deny icmp host 192.168.1.200 any eq echo

access-list inside deny tcp host 192.168.1.20 any eq www

access-list inside permit ip any any

access-group inside in interface inside

3.) Use the "shun" command to block a host.

Hope it helps

Patrick