NAT static and connections outside-to-inside

Unanswered Question
Sep 23rd, 2009
User Badges:
  • Bronze, 100 points or more

Hello,


we have configured static NAT in our internet router. Now the CPU has intervals with 100%. We have seen that is due to NAT entries number. Besides the entries are created by external host that try to connect to Global/public ip address. Is there any way that configure NAT to avoid connections outside-to-inside?. I suppose

that an ACL use established FLAG could help me but I want to know if there is a NAT option to do it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Wed, 09/23/2009 - 10:40
User Badges:
  • Cisco Employee,

Hi,


What is your configuration ? what does the nat table look like ?


Thanks


Laurent.

Paolo Bevilacqua Wed, 09/23/2009 - 11:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

And very important, which router is this and how much traffic you have.

tonio.ojea Thu, 09/24/2009 - 02:02
User Badges:

You could use an access list in your wan interface denying incoming tcp connections with the syn bit active, like this


int FaX/X

desc WAN

ip access-group 135 in

ip nat outside


access-list 135 deny tcp any (publicIp) (public network) syn

access-list 135 permit any any

Actions

This Discussion