cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1163
Views
0
Helpful
7
Replies

Ramdom outside traffic preventing NAT translation time out

thomasmcleod
Level 1
Level 1

I'm using a non-overloaded pool in the 881w router with 8 inside global ips. However, once 8 hosts connect, no more can ever connect because no translations ever expire. Upon examination, it appears that ramdom tcp probes and scans from the outside are reseting the transtion time out.

I DO have an ACL on the WAN side that blocks this traffic, but apparently not from the NAT engine. What is wrong here?

1 Accepted Solution

Accepted Solutions

not sure if i miss it but i can't find where you enble your WAN_IN acl (i could only find only one match with key word WAN_IN in your configuration).

output of sh access-list may help.

View solution in original post

7 Replies 7

manish arora
Level 6
Level 6

Access List are scanned before the NAT is looked at in Cisco IOS order of sequence. Can you please paste the nat configuration here ( minus your Public IPs) ?

Manish

Thanks for responding.

Here it is, minus crypto commands (attached).

Thomas McLeod

Hi,

The configuration that you are using will only allow 8 hosts ( any first 8 host that will reach the Router) to be Nat, this Nat configuration will stay active for atleast 24 hours for TCP connections unless a TCP RST or Fin packet is seen.

Now, I am not sure what you are trying to accomplish here but in normal circumtances you will use Overload Nat so that all host in the inside of the network can use those less public IPs to communicate with the Internet.

In case you have to have no overload NAT but needs after Timeout then you can adjust the timeouts using the following commands ( Given they are supported on your os ) :

ip nat translation udp-timeout

ip nat translation dns-timeout

ip nat translation tcp-timeout

ip nat translation finrst-timeout

I would still suggest using the Overload NAT in this senario or use get more Public IPs if you want one to one Nat.

Manish

Hi Manish,

What I'm trying to accomplish is simply to have each host have it own outside ip without sharing.

The ip nat translation xxx-timeout commands all have default less than or equal to the over-all translation timeout.

The question is why doesn't the WAN_IN ACL prevent ramdom traffic that keeps the translation alive?

would you please post something that you used to conclude that WAN_IN acl is not working as expected ?

Manish

not sure if i miss it but i can't find where you enble your WAN_IN acl (i could only find only one match with key word WAN_IN in your configuration).

output of sh access-list may help.

I need to wait for the translation timeout to verify, but I believe you found the issue with the configuration. Sometimes I just takes another set of eyes on the problem.

Review Cisco Networking for a $25 gift card