Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

High rate of NAT translations for port tcp port 1080

We have a remote network 192.168.1.0 connected via VSAT to the central location. At the central location 7206 performs NAT there by providing internet access.

We are noticing a strange problem , a particular host 192.168.1.35 with port 1080 has thousands of NAT translations to various servers on the internet on random port nos. thus increasing the CPU utilisation to 100 %.

When we switch OFF the VSAT, the translations come down , but if the site is powered ON without the host 192.168.1.35 ( physically removed ) still the translations are happening.

I really don't know why the translations are happening even when the host 192.168.1.35 is not in the network. Why are the servers trying to establish connections to the host when it is not present. We even changed the global IP address but no help.

Any solutions to isolate the problem is highly appreceiable , we are reeboting the router to solve the problem at present.

4 REPLIES
Silver

Re: High rate of NAT translations for port tcp port 1080

This is a common proxy port (wingate and others (IRC) use this) for Socks.. both TCP and UDP. Any of your internal clients setup to use a proxy or have other questionable SW loaded on them? I'd check your internal clients (specifically 1.35) to see if they have either bogus SW doing this or some type of other proxy type config allowing these connections to occur.

You might also find it usefule to use the "timeout" command on your nat setup assuming you are not using overload.

timeout

Specifies that the timeout value applies to dynamic

translations except for overload translations. Default is

86400 seconds (24 hours).

Hope this helps you,

Don

New Member

Re: High rate of NAT translations for port tcp port 1080

Thanks. But the issue is we have physically removed the suspect host 192.168.1.35 , why then the translation should happen. Is that somewhere the IP is getting cached ?

We are using dynamic pool with overload , we have configured

ip nat translation time-out port tcp 1080 0 ( with 0 sec timeout ) but it is not helping.

New Member

Re: High rate of NAT translations for port tcp port 1080

This is certainly strange , If the suspect host is removed I would suggest you check the nat translations for the relevant port i.e. 1080 as follows :

sh ip nat trans tcp | i 1080

This should show you whether there are any other hosts using this port , as this port is a proxy port I think you might find that this is the case.

We had a very similar problem where our router was knocked over by the NAT, we discovered that it was UDP traffic going through the NAT that was making the box fall over from only two hosts which were infected with a virus.

The sh ip nat trans UDP is about the only way you would have to discover the host or hosts responsible by checking the number of NAT's from the hosts listed.

Hope this helps.

New Member

Re: High rate of NAT translations for port tcp port 1080

Yes by giving this command we could still see 192.168.1.35:1080 translation which actually is the suspect host removed from the network.

There is no other hosts in that network which are using 192.168.1.35 as the proxy port .

159
Views
0
Helpful
4
Replies