We have about 800 hosts on our network and during peak times I've seen (show ip nat stat) the the translations go over 60,000 which causes serious performance issues. When I clear the translation (clear ip nat tran *) everything works fine again. We use PAT with 1 public IP for all non-server hosts.
I've dumped the translations and used a pivot table to determine the culprits which are typically a dozen or so machines with thousands of connections. Usually the issue is P2P or a virus.
What I don't understand is that the translations seem to hang around for a long time even after I know the internal host is shut down. For example, I ping the host and get no response and yet translations for the host IP are still in the table for many hours. I assume what I need to do is set a shorter timeout for translations. I included a small sample of typical translations below with our public IP's altered.
I looked at this page (http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=5
) and see there are a number of different timeouts that can be set. The page makes a major distinction between port specific translations and non-port specific translations with non-port specific defaulting to 1 day and port specific ending in 1 minute. I confess to not understand the difference between non-port specific and port specific, I thought all PAT translations were port specific.
I have two questions:
1) Which timeouts should I set? "ip nat translation timeout" or "ip nat tranlation port-timeout tcp" or ... ?
2) What are some best practices regarding the length of timeout? What would be the negative consequences of setting the timeout too short?
Pro Inside global Inside local Outside local Outside global
tcp 126.96.36.199:63115 10.40.100.224:63115 188.8.131.52:80 184.108.40.206:80
tcp 220.127.116.11:3800 10.40.100.229:2249 18.104.22.168:80 22.214.171.124:80
tcp 126.96.36.199:1338 10.40.100.229:2530 188.8.131.52:80 184.108.40.206:80
tcp 220.127.116.11:1931 10.40.100.229:2531 18.104.22.168:80 22.214.171.124:80
tcp 126.96.36.199:2273 10.40.100.229:2535 188.8.131.52:80 184.108.40.206:80
tcp 220.127.116.11:2410 10.40.100.229:2537 18.104.22.168:80 22.214.171.124:80