Adjusting NAT Timers

Problem

You want to change the length of time that NAT entries remain active.

Solution

The router will keep NAT entries in the translation table for a configurable length of time. For TCP connections, the default timeout period is 86,400 seconds, or 24 hours. Because UDP is not connection based, the default timeout period is much shorteronly 300 seconds, or 5 minutes. The router will remove translation table entries for DNS queries after only 60 seconds.

You can adjust these parameters using the ip nat translation command, which accepts arguments in seconds:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip nat translation tcp-timeout 500 Router(config)#ip nat translation udp-timeout 30 Router(config)#ip nat translation dns-timeout 30 Router(config)#ip nat translation icmp-timeout 30 Router(config)#ip nat translation finrst-timeout 30 Router(config)#ip nat translation syn-timeout 30 Router(config)#end Router#

To save router memory, you can also define a maximum number of NAT translation table entries:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip nat translation max-entries 1000 Router(config)#end Router#

 

Discussion

There are many reasons for adjusting these various timeout parameters; most are related to router performance. If sessions are generally short-lived, it is a waste of memory to maintain the NAT entries for a long time. The finrst-timeout and syn-timeout parameters are also useful when the router is connected to the public Internet because they can help to prevent denial of service attacks that are based on sending TCP control packet such as SYN, ACK, and FIN. If the router only keeps the NAT entries associated with these packets for a brief period of time, you can help to limit the impact of such attacks.

We recommend using extreme caution with the max-entries command:

Router(config)#ip nat translation max-entries 1000

When you set a limit like this, the router rejects any additional attempts to use NAT. So, in this example, if you already had 1,000 NAT table entries, the router would simply drop any new connection attempts. This can be useful to prevent excessive NAT processing from overloading the router, but it can also block legitimate access.

It is difficult to select a useful upper limit to the size of the NAT table in general. In most cases, it is best to use the default, which does not enforce any upper limit. You should use this command only if you start to run into serious memory or CPU utilization problems. Because it tells the router to refuse any further requests, however, restricting the table size like this should be a last resort. In most cases, it is more effective to decrease the various timeout values as shown in this recipe.

Start by looking at your NAT translation table, as shown in Recipe 21.12, and see what most of the entries look like. If you are using the overload option, you may find that there are several different entries for each internal host, each for different port numbers or protocols. The relatively long 24-hour timeout period for TCP sessions is probably the best place to start. You can usually reduce this drastically without causing application problems, and it could give a significant improvement to the size of the NAT table.

See Also

Recipe 21.12

Категории