Re: NAT timeout

grimard_cisco · ‎06-08-2006

Hi,

I have a problem with a Cisco 1841 router running IOS Version 12.3(11)T5.

I use NAT to access the Internet through the router.

Sometimes, around 3-4 times a day, all Internet access stops because our DNS

server cannot access the Internet to resolve addresses. All Internet

communication from this server is stoped. If I issue a "clear ip nat

translation *" command to the router it works again.

I heard that the default NAT timeout value are not optimum and that i should

enter different values for tcp, udp and dns timeouts. Is it right ?

Here's my config. Thank you for your advice.

------

Current configuration : 3894 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname gateway

!

boot-start-marker

boot system flash flash:c1841-entbase-mz.123-11.T5.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

!

ip tcp synwait-time 10

!

no ip bootp server

ip domain name grimard.ca

ip name-server 198.x.x.130

no ftp-server write-enable

!

interface FastEthernet0/0

description Bersimis$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE

0$$ETH-LAN$

ip address 10.1.1.200 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description Internet$ETH-LAN$

ip address XX.XX.244.58 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/0/0

no ip address

no cdp enable

!

interface FastEthernet0/0/1

no ip address

no cdp enable

!

interface FastEthernet0/0/2

no ip address

no cdp enable

!

interface FastEthernet0/0/3

no ip address

no cdp enable

!

interface Vlan1

description DMZ

ip address 10.1.5.11 255.255.255.0

ip nat inside

!

ip classless

ip route 0.0.0.0 0.0.0.0 XX.XX.244.57 permanent

!

ip http server

ip http authentication local

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 100 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.1.5.13 25 XX.XX.244.58 25 extendable

ip nat inside source static tcp 10.1.5.13 80 XX.XX.244.58 80 extendable

ip nat inside source static tcp 10.1.5.13 110 XX.XX.244.58 110 extendable

ip nat inside source static tcp 10.1.5.13 443 XX.XX.244.58 443 extendable

ip nat inside source static tcp 10.1.1.17 3389 XX.XX.244.58 3389 extendable

!

logging trap debugging

access-list 100 permit ip 0.0.0.0 10.255.255.255 any

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 4000 1000

end

globalnettech · ‎06-08-2006

Hello,

I am not sure if your NAT timeouts are the problem. You might want to try and add a static NAT entry for your DNS as following:

ip nat inside source static udp 10.1.5.13 53 x.x.244.58 53 extendable

(this is assuming that 10.1.5.13 is the internal IP address of your DNS server, if the address is a different one, change it accordingly)...

Regards,

GNT

grimard_cisco · ‎06-09-2006

Thank you.

I'll try that and post the results.

grimard_cisco · ‎06-09-2006

Alas, I still had the problem twice this morning.

Anything else to try ?

sean · ‎06-09-2006

What is the translation count up to when you have to clear it? I see that you are overloading on a sinle IP as far as NAT is concerned. If you have a lot of traffic from the inside trying to go out (possibly even virus or worm) the you could be hitting your translation limit (somewhere around 65,000) for a single ip address. Hope this helps.

grimard_cisco · ‎06-12-2006

I have around 400 nat translations when I have to clear them.

I have 5 other public IP adresses available. Would it help if I add them ? or should I add one only to nat my mail/dns server ?

Thank you.

sean · ‎06-12-2006

400 translations should not be killing your connection. I did run into an issue one time on an ASA5540. I was overloading on a single IP and at different intervals, it would stop allow new VPN connections. I wound up shifting the overload to a different IP address other than the outside IP address. I would try and create a new overload or a pool with your other IPs and just nat on those and not the outside address. Hope this helps.

NAT timeout

"ip nat translation timeout" command

How to configure a NAT translation timeout

Controlando o Timeout de suas Sessões

NSO device timeouts demystified

Static NAT の設定例