Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
5
Helpful
4
Replies

NAT Table Fills and Service Stops

toyota-cruiser
Level 1
Level 1

‎01-22-2007 12:11 PM

I have a cisco 3600. I host my own mail, and when I try to get to my mail via the public address, my NAT table fills and my email service is halted. It will sometimes add hundreds of translations to the table. This apparently has no effect on the mail server. It just appears that the router is not closing its connections, but only for that IP. Anyone have any idea as to what could cause this?

Labels:
0 Helpful
4 Replies 4

vijayasankar
Level 4
Level 4

‎01-22-2007 10:10 PM

Hi,

Kindly check the output of "show ip nat translations" and examine what are those connections? and which inside host is creating those connections.

It could be possible that a inside host is compromised or infected with virus, which is causing sporatic floods of outbound traffic.

This will eventually fill the nat translation table leading to service disruptions.

Hope this helps.

-VJ

toyota-cruiser
Level 1
Level 1
In response to vijayasankar

‎01-23-2007 03:36 PM

VJ,

Thank you for your response. I suppose that is always a possibility. I will check my inside computers for viruses.

my translation table looks something like the following.

Pro Inside Global Inside Local

-- xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx -- --

Where there is no protocol listed and my public address is listed under inside global, and my mail server's ip is listed under inside local. There is also nothing listed under the Outside local or global lines. It looks similar to a address that is DMZ'd, but mine is not. I have noticed that my NAT table does this when I am port scanned, but still only for this particular IP.

0 Helpful

vijayasankar
Level 4
Level 4
In response to toyota-cruiser

‎01-23-2007 08:52 PM

Hi Kelly,

Thanks for the update.

When the NAT table gets filled, what are the entries that you are observing. If you have any captures can you post the output of the same.

Can you explain more on port scan issue...

From where the port scan is issued to which subnet space ?

It would be helpful if you could also post the configuration of the router.

Probably we can fine tune the configuration to restrict the access to your inside server on some specific ports, instead of exposing the server entirely.

-VJ

0 Helpful

toyota-cruiser
Level 1
Level 1
In response to vijayasankar

‎01-24-2007 04:48 PM

VJ,

I have included captures of my NAT as it fills, and of my router config. Initailly, I thought when I got port scanned it filled up my NAT, but that only happens when I attempt to port scan a machine at one of our remote locations. That may be normal.

My router is already set to only accept connections for that IP on 3 ports only. But if you look at my example.txt file you will see that it fills with translations that look like a DMZ'd address, although this is not.

Thank you again for all your help! I really appreciate all you are doing for me.

Kelly

NAT Table filling

Preview file
20 KB
0 Helpful
Customers Also Viewed These Support Documents