Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DOS Causing NAT Problems


We currently are operating a campus network with two 75XX routers serving approx. 1000 users. These routers are running HSRP and Stateful NAT to allow internal users access to the Internet.

ACL's are applied inbound to prevent ICMP and other MS exploits from bringing down the network in the event of a SLAMMER or BLASTER/NACHI attack using ICMP or TCP 135-139/445.

However, several nasty worms attempt DOS attacks by using plain old port 80 to overload their targets (usually MS). This results in 10's of thousands of NAT sessions being opened on the router, eventually resulting in a router crash due to memory fragmentation.

As a solution, I would like to limit the amount of NAT sessions a given subnet/subinterface may be permitted to open so that if a worm gets launched, the subnet would simply become maxxed-out and prevent additional sessions from being opened.

A cursory CCO search shows me that there is a NAT rate-limiting feature available, but it only allows 1 NAT rate-limiting rule for the whole router! This is not feasible, as a single rouge machine would bring the router up to its max. NAT limit and prevent other users from surfing.

Additionally, I don't want to rate-limit HTTP, as that would affect the users' surfing experience as well.

I also am considering an external NAT device that would sit next to the 75XX's that could handle more sessions during a DOS, but I think that I would end up losing the Stateful NAT feature, which has proven to be a near-perfect redundancy feature that results in users never experiencing downtime during an HSRP failover.

Any comments or suggestions are sincerely appreciated.


Re: DOS Causing NAT Problems

The best solution is to use IDS, since it will detect the connections started by the virus and do blocking.

As you already mentioned, to limit the number of NAT entries, on IOS you can do "ip nat translation max-entries", this will limit the NAT entries in the nat table, so that it doesn't go beyond a certain level. However this is a global command, you can't do it per ip pool. A single user might take up all available connections, this will not load the router, but other users can't connect anymore.