Cisco IOS Software Releases 12.3 T

Table Of Contents

Rate Limiting NAT Translation

Contents

Prerequisites for Rate Limiting NAT Translation

Information About Rate Limiting NAT Translation

Benefits of Rate Limiting NAT Translation

Denial-of-Service Attacks

Viruses and Worms that Target NAT

How to Configure Rate Limiting NAT Translation

Configuring a NAT Rate Limit

Configuration Examples for Rate Limiting NAT Translation

Setting a Global NAT Rate Limit: Example

Setting NAT Rate Limits for a Specific VRF Instance: Example

Setting NAT Rate Limits for All VRF Instances: Example

Setting NAT Rate Limits for Access Control Lists: Example

Setting NAT Rate Limits for an IP Address: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip nat translation max-entries

ip nat translation (timeout)

show ip nat statistics

Rate Limiting NAT Translation

---

The Rate Limiting NAT Translation feature provides the ability to limit the maximum number of concurrent network address translation (NAT) operations on a router. In addition to giving users more control over how NAT addresses are used, the Rate Limiting NAT Translation feature can be used to limit the effects of viruses, worms, and denial-of-service attacks.

Release	Modification
12.3(4)T	This feature was introduced.
12.2(25)S	This feature was implemented in Cisco IOS Release 12.2(25)S.

Feature History for Rate Limiting NAT Translation

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Rate Limiting NAT Translation

•Information About Rate Limiting NAT Translation

•How to Configure Rate Limiting NAT Translation

•Configuration Examples for Rate Limiting NAT Translation

•Additional References

•Command Reference

Prerequisites for Rate Limiting NAT Translation

Before configuring rate limits for NAT translation, you must first enable NAT on your router. For additional information on NAT configuration, see the "Related Documents" section.

Information About Rate Limiting NAT Translation

To configure the Rate Limiting NAT Translation feature, you should understand the following concepts:

•Benefits of Rate Limiting NAT Translation

•Denial-of-Service Attacks

•Viruses and Worms that Target NAT

Benefits of Rate Limiting NAT Translation

Since NAT is a CPU-intensive process, router performance can be adversely affected by denial-of-service attacks, viruses, and worms that target NAT. The Rate Limiting NAT Translation feature allows the user to limit the maximum number of concurrent NAT requests on a router.

Denial-of-Service Attacks

A denial-of-service (DoS) attack typically involves the misuse of standard protocols or connection processes with the intent to overload and disable a target, such as a router or web server. DoS attacks can come from a malicious user or from a computer infected with a virus or worm. When the attack comes from many different sources at once, such as when a virus or worm has infected many computers, it is known as a distributed denial-of-service (DDoS) attack. Such DDoS attacks can spread rapidly and involve thousands of systems.

Viruses and Worms that Target NAT

Viruses and worms are malicious programs designed to attack computer and networking equipment. While viruses are typically embedded in discrete applications and only run when executed, worms self-propagate and can quickly spread on their own. Although a specific virus or worm may not expressly target NAT, it might use NAT resources to propagate itself. The Rate Limiting NAT Translation feature can be used to limit the impact of viruses and worms that originate from specific hosts, access control lists, and VPN routing and forwarding (VRF) instances.

How to Configure Rate Limiting NAT Translation

This section contains the following procedure:

•Configuring a NAT Rate Limit (required)

Configuring a NAT Rate Limit

Before you configure a NAT rate limit, you should first classify current NAT usage and determine the sources of requests for NAT translations. If a specific host, access control list, or VRF instance is generating an unexpectedly high number of NAT requests, it may be the source of a malicious virus or worm attack.

Once you have identified the source of excess NAT requests, you can set a NAT rate limit that contains a specific host, access control list, or VRF instance, or you can set a general limit for the maximum number of NAT requests allowed regardless of their source.

SUMMARY STEPS

1. enable

2. show ip nat translations

3. configure terminal

4. ip nat translation max-entries {number | all-vrf number | host ip-address number | list listname number | vrf name number}

5. end

6. show ip nat statistics

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show ip nat translations Example: Router# show ip nat translations	(Optional) Displays active NAT translations. •If a specific host, access control list, or VRF instance is generating an unexpectedly high number of NAT requests, it may be the source of a malicious virus or worm attack.
Step 3	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 4	ip nat translation max-entries {number | all-vrf number | host ip-address number | list listname number | vrf name number} Example: Router(config)# ip nat translation max-entries 300	Configures the maximum number of NAT entries allowed from the specified source. •The maximum number of allowed NAT entries is 2147483647, although a typical range for a NAT rate limit is 100 to 300 entries. •When configuring a NAT rate limit for all VRF instances, each VRF instance is limited to the maximum number of NAT entries that you specify. •When configuring a NAT rate limit for a specific VRF instance, you can specify a maximum number of NAT entries for the named VRF instance that is greater than or less than that allowed for all VRF instances.
Step 5	end Example: Router(config)# end	Exits global configuration mode and returns to privileged EXEC mode.
Step 6	show ip nat statistics Example: Router# show ip nat statistics	(Optional) Displays current NAT usage information, including NAT rate limit settings. •After setting a NAT rate limit, use the show ip nat statistics command to verify current NAT rate limit settings.

Configuration Examples for Rate Limiting NAT Translation

This section provides the following configuration examples:

•Setting a Global NAT Rate Limit: Example

•Setting NAT Rate Limits for a Specific VRF Instance: Example

•Setting NAT Rate Limits for All VRF Instances: Example

•Setting NAT Rate Limits for Access Control Lists: Example

•Setting NAT Rate Limits for an IP Address: Example

Setting a Global NAT Rate Limit: Example

The following example shows how to limit the maximum number of allowed NAT entries to 300:

Router(config)# ip nat translation max-entries 300

Setting NAT Rate Limits for a Specific VRF Instance: Example

The following example shows how to limit the VRF instance named "vrf1" to 150 NAT entries:

Router(config)# ip nat translation max-entries vrf vrf1 150

Setting NAT Rate Limits for All VRF Instances: Example

The following example shows how to limit each VRF instance to 200 NAT entries:

Router(config)# ip nat translation max-entries all-vrf 200

The following example shows how to limit the the VRF instance named "vrf2" to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each:

Router(config)# ip nat translation max-entries all-vrf 100

Router(config)# ip nat translation max-entries vrf vrf2 225

Setting NAT Rate Limits for Access Control Lists: Example

The following example shows how to limit the access control list named "vrf3" to 100 NAT entries:

Router(config)# ip nat translation max-entries list vrf3 100

Setting NAT Rate Limits for an IP Address: Example

The following example shows how to limit the host at IP address 127.0.0.1 to 300 NAT entries:

Router(config)# ip nat translation max-entries host 127.0.0.1 300

Additional References

The following sections provide references related to Rate Limiting NAT Translation.

Related Documents

Related Topic	Document Title
Configuring Network Address Translation (NAT)	Cisco IOS IP and IP Routing Configuration Guide
IP NAT translation	Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3(4)T

Standards

Standards	Title
No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 2663	IP Network Address Translator (NAT) Terminology and Considerations
RFC 3022	Traditional IP Network Address Translator (Traditional NAT)

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

New Command

•ip nat translation max-entries

Modified Commands

•ip nat translation (timeout)

•show ip nat statistics

ip nat translation max-entries

To limit the size of a network address translation (NAT) table to a specified maximum, use the ip nat translation max-entries command in global configuration mode. To remove a specified limit, use the no form of this command.

ip nat translation max-entries {number | all-vrf number | host ip-address number | list listname number | vrf name number}

no ip nat translation max-entries {number | all-vrf name number | host ip-address number | list listname number | vrf name number}

Syntax Description

number	Maximum number of allowed NAT entries. Range is from 1 to 2147483647.
all-vrf	Contrains each VPN routing and forwarding (VRF) instance by the specified NAT limit.
host	Contrains an IP address by the specified NAT limit.
ip-address	The IP address subject to the NAT limit.
list	Contrains an access control list (ACL) by the specified NAT limit.
listname	The access control list name subject to the NAT limit.
vrf	Constrains an individual VRF instance by the specified NAT limit.
name	The name of the VRF instance subject to the NAT limit.

Defaults

No maximum size is specified for the NAT table.

Command Modes

Global configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was implemented in Cisco IOS Release 12.2(25)S.

Usage Guidelines

Before you configure a NAT rate limit, you should first classify current NAT usage and determine the sources of requests for NAT translations. If a specific host, access control list, or VRF instance is generating an unexpectedly high number of NAT requests, it may be the source of a malicious virus or worm attack.

Once you have identified the source of excess NAT requests, you can set a NAT rate limit that constrains a specific host, access control list, or VRF instance, or you can set a general limit for the maximum number of NAT requests allowed regardless of their source.

---

Note When using the no form of ip nat translation max-entries, you must specify the type of NAT rate limit you wish to remove and its current value. For more information on how to display current NAT rate limit settings, refer to the show ip nat statistics command.

---

Examples

The following examples show how to configure rate limiting NAT translation.

Setting a General NAT Limit

The following example shows how to limit the maximum number of allowed NAT entries to 300:

Router(config)# ip nat translation max-entries 300

Setting NAT Limits for VRF Instances

The following example shows how to limit each VRF instance to 200 NAT entries:

Router(config)# ip nat translation max-entries all-vrf 200

The following example shows how to limit the VRF instance named "vrf1" to 150 NAT entries:

Router(config)# ip nat translation max-entries vrf vrf1 150

The following example shows how to limit the the VRF instance named "vrf2" to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each:

Router(config)# ip nat translation max-entries all-vrf 100

Router(config)# ip nat translation max-entries vrf vrf2 225

Setting NAT Limits for Access Control Lists

The following example shows how to limit the access control list named "vrf3" to 100 NAT entries:

Router(config)# ip nat translation max-entries list vrf3 100

Setting NAT Limits for an IP Address

The following example shows how to limit the host at IP address 127.0.0.1 to 300 NAT entries:

Router(config)# ip nat translation max-entries host 127.0.0.1 300

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat inside source	Enables NAT of the inside source address.
ip nat outside source	Enables NAT of the outside source address.
ip nat pool	Defines a pool of IP addresses for NAT.
ip nat service	Enables a port other than the default port.
ip nat translation (timeout)	Changes the NAT timeout value.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.

ip nat translation (timeout)

To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation command in global configuration mode. To disable the timeout, use the no form of this command.

ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout} {seconds | never}

no ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout}

Syntax Description

timeout	Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86,400 seconds (24 hours).
udp-timeout	Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).
dns-timeout	Specifies that the timeout value applies to connections to the Domain Name System (DNS). Default is 60 seconds.
tcp-timeout	Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours).
finrst-timeout	Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
icmp-timeout	Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.
pptp-timeout	Specifies the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. Default is 86,400 seconds (24 hours).
syn-timeout	Specifies the timeout value for TCP flows immediately after a synchronous transmission (SYN) message that consists of digital signals that are sent with precise clocking. The default is 60 seconds.
port-timeout	Specifies that the timeout value applies to the TCP/UDP port.
seconds	Number of seconds after which the specified port translation times out. The default is 0.
never	Specifies no port translation time out.

Defaults

timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
seconds: 0 (never)

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.
12.3(4)T	The timout functions of the ip nat translation command were documented under the command name ip nat translation (timeout).
12.2(25)S	This command was implemented in Cisco IOS Release 12.2(25)S.

Usage Guidelines

When port translation is configured, each entry contains more context about the traffic that is using it, which gives you finer control over translation entry timeouts. Non-DNS UDP translations time out after 5 minutes, while DNS times out in 1 minute. TCP translations time out in 24 hours, unless an RST or FIN bit is seen on the stream, in which case they will time out in 1 minute.

Examples

The following example configures the router to cause UDP port translation entries to time out after 10 minutes (600 seconds):

ip nat translation udp-timeout 600

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat inside source	Enables NAT of the inside source address.
ip nat outside source	Enables NAT of the outside source address.
ip nat pool	Defines a pool of IP addresses for NAT.
ip nat service	Enables a port other than the default port.
ip nat translation max-entries	Limits the maximum number of NAT entries.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.

show ip nat statistics

To display Network Address Translation (NAT) statistics, use the show ip nat statistics command in User EXEC mode.

show ip nat statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC

Command History

Release	Modification
11.2	This command was introduced.
12.3(4)T	This command was enhanced to display NAT limit information.
12.2(25)S	This command was implemented in Cisco IOS Release 12.2(25)S.

Usage Guidelines

Use the show ip nat statistics command to display current NAT usage information, and to verify current NAT limit settings.

Examples

The following is sample output from the show ip nat statistics command:

Router# show ip nat statistics

Total active translations: 5 (0 static, 5 dynamic; 5 extended)

Outside interfaces:

 Virtual-Access1, Virtual-Template1

Inside interfaces: 

 Ethernet1/0, Ethernet1/1

Hits: 15  Misses: 25

CEF Translated packets: 37, CEF Punted packets: 0

Expired translations: 5

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 interface Virtual-Template1 refcount 5

nat-limit statistics:

 host 10.1.25.4: max allowed 5, used 5, missed 0

Table 1 describes the significant fields shown in the example.

Table 1 show ip nat statistics Field Descriptions 

Field	Description
Total active translations	Number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.
Outside interfaces	List of interfaces marked as outside with the ip nat outside command.
Inside interfaces	List of interfaces marked as inside with the ip nat inside command.
Hits	Number of times the software performs a translation table lookup and finds an entry.
Misses	Number of times the software performs a translation table lookup and fails to find an entry, and creates one.
CEF Translated packets	Number of packets switched via Cisco Express Forwarding (CEF).
CEF Punted packets	Number of packets punted to process.
Expired translations	Cumulative count of translations that have expired since the router was booted.
Dynamic mappings	Indicates that the information that follows is about dynamic mappings.
Inside Source	Indicates that the information that follows is about inside source translation.
access-list	Access control list number used for the translation.
pool	Name of the pool.
refcount	Number of translations using this pool.
netmask	IP network mask used in the pool.
start	Starting IP address of the pool range.
end	Ending IP address of the pool range.
type	Type of pool. Possible types are generic or rotary.
total addresses	Number of addresses in the pool available for translation.
allocated	Number of addresses currently allocated (in use).
misses	Number of failed allocations from the pool.
nat-limit statistics	Current rate limiting NAT translation settings. Includes the IP address, access control list name, or VPN routing and forwarding instance name subject to the rate limit.
max allowed	Maximum number of NAT entries.
used	Number of NAT entries currently in use.
missed	Number of NAT entries denied due to the rate limit.

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat inside source	Enables NAT of the inside source address.
ip nat outside source	Enables NAT of the outside source address.
ip nat pool	Defines a pool of IP addresses for NAT.
ip nat service	Enables a port other than the default port.
ip nat translation (timeout)	Changes the NAT timeout value.
ip nat translation max-entries	Limits the maximum number of NAT entries.
show ip nat translations	Displays active NAT translations.

Copyright © 2003 Cisco Systems, Inc. All rights reserved.