Try implemeting it:
ip nat translation max-entries <n>
ip nat translation udp-timeout <seconds>
ip nat translation dns-timeout <seconds>
ip nat translation tcp-timeout <seconds>
ip nat translation finrst-timeout <seconds>
Also please paste - sh run | inc ip route, make sure you are not using any
broadcast interface as the next hop on any static, I've seen those happening
and crashing many routers before, always specify the next hop ip address.
Tune your NAT settings, implement, wait, verify and observe, get back to us
with positive results :-)
Rgs,
2010/9/20 karim jamali <karim.jamali_at_gmail.com>
> Sure! Appreciate your help.
>
> However for some reason after I reloaded the router the CPU calmed
> down..but
> I still want to prevent it if i can.
>
> Total active translations: 549 (5 static, 544 dynamic; 544 extended)
> Peak translations: 877, occurred 00:15:32 ago
> Outside interfaces:
> GigabitEthernet0/0, Dialer1, Virtual-Access2
> Inside interfaces:
> GigabitEthernet0/1, VoIP-Null0
> Hits: 32354 Misses: 0
> CEF Translated packets: 4157, CEF Punted packets: 28196
> Expired translations: 3732
> Dynamic mappings:
> -- Inside Source
> [Id: 1] access-list BATAL-RUH-USERS interface Dialer1 refcount 543
> Appl doors: 0
> Normal doors: 0
> Queued Packets: 0
>
> On Mon, Sep 20, 2010 at 9:15 PM, Shaughn Smith <maniac.smg_at_gmail.com>
> wrote:
>
> > Can you do a sh ip nat statistics and send the output
> >
> > CCIE # 23962 (SP)
> >
> > Sent from my iPhone 3GS
> >
> > On 20 Sep 2010, at 8:11 PM, karim jamali <karim.jamali_at_gmail.com> wrote:
> >
> > > Thank You guys for your support. Below are the configurations:
> > >
> > > int gi0/1
> > > ip nat inside
> > >
> > > int dialer1
> > > ip nat outside
> > >
> > > ip nat inside source list BATAL-RUH-USERS interface Dialer1 overload
> > > ip nat inside source static 192.168.2.234 78.93.56.234
> > > ip nat inside source static 192.168.2.235 78.93.56.235
> > > ip nat inside source static 192.168.2.236 78.93.56.236
> > > ip nat inside source static 192.168.2.237 78.93.56.237
> > > ip nat inside source static 192.168.2.238 78.93.56.238
> > >
> > > Extended IP access list BATAL-RUH-USERS
> > > 10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (5 matches)
> > > 20 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
> > > 30 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> > > 40 deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
> > > 50 permit ip 192.168.2.0 0.0.0.255 any (3091 matches)
> > >
> > >
> > > On Mon, Sep 20, 2010 at 8:11 PM, Jeferson Guardia <jefersonf_at_gmail.com
> > >wrote:
> > >
> > >> Paste your configs here so we can advise you the best way to tune your
> > nat
> > >> config, there are a few ways that you can limit the max nat entry
> value
> > on a
> > >> router and this has showed to be quite useful in the past.
> > >>
> > >> Brgs,
> > >>
> > >> 2010/9/20 Shahid Ansari <shahid1357_at_gmail.com>
> > >>
> > >> This can be happen If you have many translation generated by third
> party
> > >>> programs or Virus.
> > >>> when you are enabled NAT ,dont allow any to any in access-list and
> make
> > it
> > >>> more specific
> > >>> The best way to troubleshoot it by enabling netflow ...
> > >>> Can you post
> > >>> Show process Cpu
> > >>> Show nat translation
> > >>> show ip cache flow
> > >>>
> > >>> change default nat timeout value too..
> > >>>
> > >>> Thanks
> > >>> Shahid Ansari
> > >>>
> > >>>
> > >>>
> > >>> On Mon, Sep 20, 2010 at 7:46 PM, karim jamali <
> karim.jamali_at_gmail.com
> > >>>> wrote:
> > >>>
> > >>>> Dear Experts,
> > >>>>
> > >>>> I have faced a problem with one of the Routers at a customer site
> > having
> > >>>> the
> > >>>> NAT Ager process consuming 98% of CPU. I am trying to understand the
> > >>>> reason,
> > >>>> however up till now I am not able.
> > >>>>
> > >>>> I would truly appreciate your input as I have 4 sites with the same
> > >>>> configuration and I haven't been able to spot the difference that
> > caused
> > >>>> this problem.
> > >>>>
> > >>>> Thanks
> > >>>>
> > >>>> --
> > >>>> KJ
> > >>>>
> > >>>>
> > >>>> Blogs and organic groups at http://www.ccie.net
> > >>>>
> > >>>>
> > _______________________________________________________________________
> > >>>> Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > > --
> > > KJ
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 20 2010 - 16:19:11 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART