RE: IP NAT Ager Consuming 98% of CPU Pro

Usually this is caused by internet port scans scanning nat inside global addresses on the "ip nat outside" interface, and the inside local addresses are unreachable.

Considering rate limiting arp (if the inside addresses are directly attached to the router) or running ip tcp intercept if they are not directly attached to the router.

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of karim jamali
Sent: Monday, September 20, 2010 2:18 PM
To: Shaughn Smith; Cisco certification
Subject: Re: IP NAT Ager Consuming 98% of CPU Pro

Sure! Appreciate your help.

However for some reason after I reloaded the router the CPU calmed down..but
I still want to prevent it if i can.

Total active translations: 549 (5 static, 544 dynamic; 544 extended)
Peak translations: 877, occurred 00:15:32 ago
Outside interfaces:
  GigabitEthernet0/0, Dialer1, Virtual-Access2
Inside interfaces:
  GigabitEthernet0/1, VoIP-Null0
Hits: 32354 Misses: 0
CEF Translated packets: 4157, CEF Punted packets: 28196
Expired translations: 3732
Dynamic mappings:
-- Inside Source
[Id: 1] access-list BATAL-RUH-USERS interface Dialer1 refcount 543
Appl doors: 0
Normal doors: 0
Queued Packets: 0

On Mon, Sep 20, 2010 at 9:15 PM, Shaughn Smith <maniac.smg_at_gmail.com> wrote:

> Can you do a sh ip nat statistics and send the output
>
> CCIE # 23962 (SP)
>
> Sent from my iPhone 3GS
>
> On 20 Sep 2010, at 8:11 PM, karim jamali <karim.jamali_at_gmail.com> wrote:
>
> > Thank You guys for your support. Below are the configurations:
> >
> > int gi0/1
> > ip nat inside
> >
> > int dialer1
> > ip nat outside
> >
> > ip nat inside source list BATAL-RUH-USERS interface Dialer1 overload
> > ip nat inside source static 192.168.2.234 78.93.56.234
> > ip nat inside source static 192.168.2.235 78.93.56.235
> > ip nat inside source static 192.168.2.236 78.93.56.236
> > ip nat inside source static 192.168.2.237 78.93.56.237
> > ip nat inside source static 192.168.2.238 78.93.56.238
> >
> > Extended IP access list BATAL-RUH-USERS
> > 10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (5 matches)
> > 20 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
> > 30 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> > 40 deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
> > 50 permit ip 192.168.2.0 0.0.0.255 any (3091 matches)
> >
> >
> > On Mon, Sep 20, 2010 at 8:11 PM, Jeferson Guardia <jefersonf_at_gmail.com
> >wrote:
> >
> >> Paste your configs here so we can advise you the best way to tune your
> nat
> >> config, there are a few ways that you can limit the max nat entry value
> on a
> >> router and this has showed to be quite useful in the past.
> >>
> >> Brgs,
> >>
> >> 2010/9/20 Shahid Ansari <shahid1357_at_gmail.com>
> >>
> >> This can be happen If you have many translation generated by third party
> >>> programs or Virus.
> >>> when you are enabled NAT ,dont allow any to any in access-list and make
> it
> >>> more specific
> >>> The best way to troubleshoot it by enabling netflow ...
> >>> Can you post
> >>> Show process Cpu
> >>> Show nat translation
> >>> show ip cache flow
> >>>
> >>> change default nat timeout value too..
> >>>
> >>> Thanks
> >>> Shahid Ansari
> >>>
> >>>
> >>>
> >>> On Mon, Sep 20, 2010 at 7:46 PM, karim jamali <karim.jamali_at_gmail.com
> >>>> wrote:
> >>>
> >>>> Dear Experts,
> >>>>
> >>>> I have faced a problem with one of the Routers at a customer site
> having
> >>>> the
> >>>> NAT Ager process consuming 98% of CPU. I am trying to understand the
> >>>> reason,
> >>>> however up till now I am not able.
> >>>>
> >>>> I would truly appreciate your input as I have 4 sites with the same
> >>>> configuration and I haven't been able to spot the difference that
> caused
> >>>> this problem.
> >>>>
> >>>> Thanks
> >>>>
> >>>> --
> >>>> KJ
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net