We have about 800 hosts on our network and during peak times I've seen (show ip nat stat) the the translations go over 60,000 which causes serious performance issues. When I clear the translation (clear ip nat tran *) everything works fine again. We use PAT with 1 public IP for all non-server hosts.
I've dumped the translations and used a pivot table to determine the culprits which are typically a dozen or so machines with thousands of connections. Usually the issue is P2P or a virus.
What I don't understand is that the translations seem to hang around for a long time even after I know the internal host is shut down. For example, I ping the host and get no response and yet translations for the host IP are still in the table for many hours. I assume what I need to do is set a shorter timeout for translations. I included a small sample of typical translations below with our public IP's altered.
I looked at this page (http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=5
) and see there are a number of different timeouts that can be set. The page makes a major distinction between port specific translations and non-port specific translations with non-port specific defaulting to 1 day and port specific ending in 1 minute. I confess to not understand the difference between non-port specific and port specific, I thought all PAT translations were port specific.
I have two questions:
1) Which timeouts should I set? "ip nat translation timeout" or "ip nat tranlation port-timeout tcp" or ... ?
2) What are some best practices regarding the length of timeout? What would be the negative consequences of setting the timeout too short?
Pro Inside global Inside local Outside local Outside global
tcp 220.127.116.11:63115 10.40.100.224:63115 18.104.22.168:80 22.214.171.124:80
tcp 126.96.36.199:3800 10.40.100.229:2249 188.8.131.52:80 184.108.40.206:80
tcp 220.127.116.11:1338 10.40.100.229:2530 18.104.22.168:80 22.214.171.124:80
tcp 126.96.36.199:1931 10.40.100.229:2531 188.8.131.52:80 184.108.40.206:80
tcp 220.127.116.11:2273 10.40.100.229:2535 18.104.22.168:80 22.214.171.124:80
tcp 126.96.36.199:2410 10.40.100.229:2537 188.8.131.52:80 184.108.40.206:80