Previous section   Next section

Recipe 21.7 Adjusting NAT Timers

21.7.1 Problem

You want to change the length of time that NAT entries remain active.

21.7.2 Solution

The router will keep NAT entries in the translation table for a configurable length of time. For TCP connections, the default timeout period is 86,400 seconds, or 24 hours. Because UDP is not connection-based, the default timeout period is much shorter: only 300 seconds (5 minutes). The router will remove translation table entries for DNS queries after only 60 seconds.

You can adjust these parameters using the ip nat translation command, which accepts arguments in seconds:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat translation tcp-timeout 500
Router(config)#ip nat translation udp-timeout 30
Router(config)#ip nat translation dns-timeout 30
Router(config)#ip nat translation icmp-timeout 30
Router(config)#ip nat translation finrst-timeout 30
Router(config)#ip nat translation syn-timeout 30
Router(config)#end
Router#

To save router memory, you can also define a maximum number of NAT translation table entries:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat translation max-entries 1000
Router(config)#end
Router#

21.7.3 Discussion

There are many reasons for adjusting these various timeout parameters; most are related to router performance. If sessions are generally short-lived, it is a waste of memory to maintain the NAT entries for a long time. The finrst-timeout and syn-timeout parameters are also useful when the router is connected to the public Internet because they can help to prevent DoS attacks that are based on sending TCP control packet such as SYN, ACK, and FIN. If the router keeps only the NAT entries associated with these packets for a brief period of time, you can help to limit the impact of such attacks.

We recommend using extreme caution with the max-entries command:

Router(config)#ip nat translation max-entries 1000

When you set a limit like this, the router will reject any additional attempts to use NAT. So, in this example, if you already had 1000 NAT table entries, the router would simply drop any new connection attempts. This can be a useful way to prevent excessive NAT processing from overloading the router, but it can also block legitimate access.

It is difficult to select a useful upper limit to the size of the NAT table in general. In most cases it is best to use the default, which does not enforce any upper limit. You should use this command only if you start to run into serious memory or CPU utilization problems. Because restricting the table size tells the router to refuse any further requests, this method should be a last resort. In most cases it is more effective to decrease the various timeout values as shown in this recipe.

Start by looking at your NAT translation table (as shown in Recipe 21.9), and see what most of the entries look like. If you are using the overload option, you may find that there are several different entries for each internal host, each for different port numbers or protocols. The relatively long 24-hour timeout period for TCP sessions is probably the best place to start. Decreasing the size of the NAT table by reducing this timeout period will not cause any application problems.

21.7.4 See Also

Recipe 21.9


  Previous section   Next section
Top