cisco nat entries / firewall

Hi all.
I'm using a cisco 831 as my boarder router/nat/firewall.

I have a couple of static nat entries to forward certain ports to certian computers.

These nat entries are accompanied by ACLs (cisco firewall).
Only certain src. IPs can access the destination ports which are then forwared to the correct computers on the internal network.

I've found that the dynamic nat entries are not clearing out very quickly after 2 months+ uptime of the router. The only way I can get them to clear out is to reset the router(reload) (which causes several minutes of downtime).

A good sign that is is happening is my connection starts lagging. I then ssh into the router and issues the "sh ip nat tran" command and I see tons of dynamic nat entries (along with the static entries) that have not reset. (this would be similar to running the netstat -an command in windows to see connections that have not closed. I know that these connections are indeed closed because I've shut down the computer. The router just thinks that they are still active. I've seen these entries stay in there for over an hour. After a reboot they clear out and the dynamic nat entries are closed pretty quickly. (couple of seconds, if even that long.)

Why would this be happening? Is there a possible memory leak?

When this happens, does that create a vulnerability or hole in the firewall because the router has mapped certain ips to certain ports on the various comptuers? Since its a "stateful firewall", the router will allow traffic from those PCs even though the connection should be have been closed?

I'm using the latest IOS for my router, so there is no "firmware" to update at the moment.
This seems to happen with other IOS versions too.

I can attach a clean copy of my config if that would help.
It is kind of bloated at the moment, but I'll can clean it up. (lots of remarks)

OH, FYI- my flash memory is pretty much maxed out. (IOS and SDM) I'm going to add more flash when I have the extra cash, but can't do it for a couple more months. But that is just storage, not actual RAM.

The uptime on the router doesn't normally last a couple months. I end up with a power outage or such and I don't have a backup battery on the router. I only have batteries on the server. It is a home network, and not *that* big of deal... but its bugging the hell out of me.

Thanks for any insight as to what the problem could be.

Although that model of router is not the champ of the Cisco line, I can't imagine any good reason

for it to act that way. Could it be that you may have "tinkered" it to death? :)

I would expect even a generic cheapo device to perform better.

Do you happen to have a smart net contract for it with Cisco? I would send it packing.

I would bet any additional tinkering would probably make it worse.

How much RAM does it have?
When you say tons of entries, what does that mean exactly?
When you say your connection lags, how so? How much?

What are you serving up to the outside?

Its quite possible that I've "tinkered" with it too much. I'm always messing around with this or that.

I can easily delete the config and start fresh. It'll just take a bit of time. Not that big of deal.

I have no contracts with Cisco.

I have not added anything to it since I've gotten it except for the IOSs.
I try to keep them up to date.

http://www.cisco.com/en/US/products/...08010e5c5.html
Memory:
DRAM1 memory • 48 MB
Flash memory • 12 MB

Quote:

---

Cisco C831 (MPC857DSL) processor (revision 0x400) with 44237K/4915K bytes of memory.
Processor board ID AMB08190LU1 (1892541173), with hardware revision 0000
CPU rev number 7
2 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

---

When I say that there were tons of entries... I mean

When I looked at the "sh ip nat tran" it normally shows me active connections.
Which PCs are connected to which IPs and which ports (services).

However, in this past case there were all kinds of "open" connections from a PC that had been turned off. I had ssh connection to school, at least 50 different entries to various different webistes, a lot of entries from bittorrent (downloading a new *nix .iso), AIM instant messaging, and other services. That PC had been rebooted into a different operating system at least an hour before and assigned a new IP via DHCP. The main OS (which had all the entries has a static IP).

When I say that the connection lags, I mean my upload and download slow to a crawl.
It almost looked like the line was being overutilized (like you see on an ISDN or Fram Relay).
However, there was nothing going on at the time.

I was the only one on the network and I was playing an online first person shooter game. (Wolf. Enemy Territory). My ping on the server would go from 30 (about normal) to 100 to 400 to 700 to 999 (999 is where you freeze and can't do anything because of a lost connection). Then it would go right back down th 30. It was bouncing all over the place.

I looked at the firewall logs and didnt' see anything unusual. scanning for ssh, 137, 139, etc. Normal everyday stuff.

The only services I offer are services to myself. I have a ssh/sftp server setup so I can xfer files back and forth between work and school. Access to those services are firewalled and only allowed through my school and work IPs. I have those logged and there were nothing in the log about that. Other than that, I allow VPN from work. Then I allow RDP (remote desktop protocol) from 2 IP addresses on my school's network. (I can't install VPN software on the schools PCs, and I have to use Remote Desktop.)

EDIT:: OK! I think I might be on to something about the connection. Someone was trying to gain access to the VPN but they were being denied by the lan eth port. Not the wan eth port. I misconfigured the ACLs for VPN and put them on an internal interface coming in, rather than the external interface coming in. So... that be one thing wrong.

Also, looks like someone (family member) was also trying to download a lot a the time too.
I looked at the MRTG traffic reports and the line was really really saturated. Too bad I don't have a managed switch so I can use MRTG keep tabs on which switch ports pass the most traffic... That would tell me who and when this stuff is going on. I'm going to have to do some traffic shaping I suppose. Either that or get rid of adsl and get cable...

I just don't understand why the nat entries would not clear itself...

Oh well... I guess I won't loose any sleep over it.

Well, to clear some things up for you... ACLs arent exactly 'cisco firewalls' cisco has a spacific IOS for its firewalls that can actually be loaded onto most routers.

Anyway, aside from that.

I do remember that there is a timer that can be set, i'm not at home so i dont have my manuals next to me so ill get back to you on that. but i do know that you can more then likely clear it by typing the command "clear ip nat tran *" or something of that nature, the clear commands are very helpfull.

When i go back to my house ill try to look for the timer that clears it.

Sure enough. It is "clear ip nat tran *"

I was trying different variations of the clear command but couldn't find it at the time.

I wasn't aware that they don't consider ACLs a firewall. It is so very flexible and AFAIK, can be used in place of a firewall. I've been using it as my border "firewall" for a couple of years now. You configure a Cisco PIX firewall in a very similar fashion... But I also have firewalls on a couple of the hosts on my network and I've never seen any unwanted traffic... just alerts that I made happen.

The IOS that I load on my router is the IP/FW Plus/IPSec 3DES IOS. So, the ACLs is the "firewall" that they speak of? Or, that combined with the "ip inspect" feature (CBAC)?

I'm also using the IPS (intrusion prevention system) feature, but I rarely hear a peep out of that.

I believe what you're looking for is the "ip nat translation timeout". Default for Cisco's is 24hours.

The relevant Cisco page is here.

-Maestr0