cisco nat entries / firewall
Results 1 to 6 of 6

Thread: cisco nat entries / firewall

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    cisco nat entries / firewall

    Hi all.
    I'm using a cisco 831 as my boarder router/nat/firewall.

    I have a couple of static nat entries to forward certain ports to certian computers.

    These nat entries are accompanied by ACLs (cisco firewall).
    Only certain src. IPs can access the destination ports which are then forwared to the correct computers on the internal network.

    I've found that the dynamic nat entries are not clearing out very quickly after 2 months+ uptime of the router. The only way I can get them to clear out is to reset the router(reload) (which causes several minutes of downtime).

    A good sign that is is happening is my connection starts lagging. I then ssh into the router and issues the "sh ip nat tran" command and I see tons of dynamic nat entries (along with the static entries) that have not reset. (this would be similar to running the netstat -an command in windows to see connections that have not closed. I know that these connections are indeed closed because I've shut down the computer. The router just thinks that they are still active. I've seen these entries stay in there for over an hour. After a reboot they clear out and the dynamic nat entries are closed pretty quickly. (couple of seconds, if even that long.)

    Why would this be happening? Is there a possible memory leak?

    When this happens, does that create a vulnerability or hole in the firewall because the router has mapped certain ips to certain ports on the various comptuers? Since its a "stateful firewall", the router will allow traffic from those PCs even though the connection should be have been closed?

    I'm using the latest IOS for my router, so there is no "firmware" to update at the moment.
    This seems to happen with other IOS versions too.

    I can attach a clean copy of my config if that would help.
    It is kind of bloated at the moment, but I'll can clean it up. (lots of remarks)

    OH, FYI- my flash memory is pretty much maxed out. (IOS and SDM) I'm going to add more flash when I have the extra cash, but can't do it for a couple more months. But that is just storage, not actual RAM.

    The uptime on the router doesn't normally last a couple months. I end up with a power outage or such and I don't have a backup battery on the router. I only have batteries on the server. It is a home network, and not *that* big of deal... but its bugging the hell out of me.

    Thanks for any insight as to what the problem could be.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Although that model of router is not the champ of the Cisco line, I can't imagine any good reason

    for it to act that way. Could it be that you may have "tinkered" it to death?

    I would expect even a generic cheapo device to perform better.

    Do you happen to have a smart net contract for it with Cisco? I would send it packing.

    I would bet any additional tinkering would probably make it worse.

    How much RAM does it have?
    When you say tons of entries, what does that mean exactly?
    When you say your connection lags, how so? How much?

    What are you serving up to the outside?

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Its quite possible that I've "tinkered" with it too much. I'm always messing around with this or that.

    I can easily delete the config and start fresh. It'll just take a bit of time. Not that big of deal.

    I have no contracts with Cisco.

    I have not added anything to it since I've gotten it except for the IOSs.
    I try to keep them up to date.

    http://www.cisco.com/en/US/products/...08010e5c5.html
    Memory:
    DRAM1 memory • 48 MB
    Flash memory • 12 MB

    Cisco C831 (MPC857DSL) processor (revision 0x400) with 44237K/4915K bytes of memory.
    Processor board ID AMB08190LU1 (1892541173), with hardware revision 0000
    CPU rev number 7
    2 Ethernet interfaces
    4 FastEthernet interfaces
    128K bytes of NVRAM.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)
    When I say that there were tons of entries... I mean

    When I looked at the "sh ip nat tran" it normally shows me active connections.
    Which PCs are connected to which IPs and which ports (services).

    However, in this past case there were all kinds of "open" connections from a PC that had been turned off. I had ssh connection to school, at least 50 different entries to various different webistes, a lot of entries from bittorrent (downloading a new *nix .iso), AIM instant messaging, and other services. That PC had been rebooted into a different operating system at least an hour before and assigned a new IP via DHCP. The main OS (which had all the entries has a static IP).

    When I say that the connection lags, I mean my upload and download slow to a crawl.
    It almost looked like the line was being overutilized (like you see on an ISDN or Fram Relay).
    However, there was nothing going on at the time.

    I was the only one on the network and I was playing an online first person shooter game. (Wolf. Enemy Territory). My ping on the server would go from 30 (about normal) to 100 to 400 to 700 to 999 (999 is where you freeze and can't do anything because of a lost connection). Then it would go right back down th 30. It was bouncing all over the place.

    I looked at the firewall logs and didnt' see anything unusual. scanning for ssh, 137, 139, etc. Normal everyday stuff.

    The only services I offer are services to myself. I have a ssh/sftp server setup so I can xfer files back and forth between work and school. Access to those services are firewalled and only allowed through my school and work IPs. I have those logged and there were nothing in the log about that. Other than that, I allow VPN from work. Then I allow RDP (remote desktop protocol) from 2 IP addresses on my school's network. (I can't install VPN software on the schools PCs, and I have to use Remote Desktop.)

    EDIT:: OK! I think I might be on to something about the connection. Someone was trying to gain access to the VPN but they were being denied by the lan eth port. Not the wan eth port. I misconfigured the ACLs for VPN and put them on an internal interface coming in, rather than the external interface coming in. So... that be one thing wrong.

    Also, looks like someone (family member) was also trying to download a lot a the time too.
    I looked at the MRTG traffic reports and the line was really really saturated. Too bad I don't have a managed switch so I can use MRTG keep tabs on which switch ports pass the most traffic... That would tell me who and when this stuff is going on. I'm going to have to do some traffic shaping I suppose. Either that or get rid of adsl and get cable...

    I just don't understand why the nat entries would not clear itself...

    Oh well... I guess I won't loose any sleep over it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Banned
    Join Date
    Sep 2001
    Posts
    522
    Well, to clear some things up for you... ACLs arent exactly 'cisco firewalls' cisco has a spacific IOS for its firewalls that can actually be loaded onto most routers.

    Anyway, aside from that.

    I do remember that there is a timer that can be set, i'm not at home so i dont have my manuals next to me so ill get back to you on that. but i do know that you can more then likely clear it by typing the command "clear ip nat tran *" or something of that nature, the clear commands are very helpfull.

    When i go back to my house ill try to look for the timer that clears it.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Sure enough. It is "clear ip nat tran *"

    I was trying different variations of the clear command but couldn't find it at the time.

    I wasn't aware that they don't consider ACLs a firewall. It is so very flexible and AFAIK, can be used in place of a firewall. I've been using it as my border "firewall" for a couple of years now. You configure a Cisco PIX firewall in a very similar fashion... But I also have firewalls on a couple of the hosts on my network and I've never seen any unwanted traffic... just alerts that I made happen.

    The IOS that I load on my router is the IP/FW Plus/IPSec 3DES IOS. So, the ACLs is the "firewall" that they speak of? Or, that combined with the "ip inspect" feature (CBAC)?

    I'm also using the IPS (intrusion prevention system) feature, but I rarely hear a peep out of that.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I believe what you're looking for is the "ip nat translation timeout". Default for Cisco's is 24hours.

    The relevant Cisco page is here.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •