BitTorrent kills 837

Discussion in 'Cisco' started by John Rennie, Oct 11, 2006.

  1. John Rennie

    John Rennie Guest

    A couple of our lads installed uTorrent on their PCs, and very quickly we
    started having problems with DNS lookups failing. Eventually I traced it to a
    NAT problem on our 837 router. The size of the NAT table (from show ip nat
    statistics) would suddenly jump to about 1500 entries, all UDP, and at that
    point DNS lookups to external servers would fail and wouldn't work again until
    the router was reloaded.

    Is this sort of thing normal? I use uTorrent at home behind a 837 and I've
    never encountered a problem. However at work it was quite reproducible. Using
    a packet sniffer I could actually watch the big burst of UDP packets from the
    PCs running uTorrent and I could see the NAT table filling up at the same
    time, and DNS then stop working. I didn't check whether it was just DNS that
    was affected or whether other UDP traffic was killed too.

    I listed the router config. The guilty PCs weren't any of the statically NATed
    addresses, so they would have been dynamically NATed to the router's address.

    JR

    ----8<----

    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    logging buffered 4096
    enable secret <password>
    !
    username admin secret 5 <password>
    no aaa new-model
    ip subnet-zero
    !
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    !
    ! PPTP dialins
    ! ============
    !
    vpdn enable
    !
    vpdn-group pptp
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    exit
    exit
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    peer default ip address pool default
    ppp encrypt mppe auto
    ppp authentication ms-chap chap pap
    !
    ip local pool default 192.168.168.224 192.168.168.239
    !
    ! VPNs
    ! ====
    !
    crypto isakmp policy 1
    encryption des
    hash sha
    authentication pre-share
    group 1
    lifetime 28800
    !
    crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    !
    ! JR
    crypto map cm-cryptomap 1 ipsec-isakmp
    set peer 111.111.111.214
    set transform-set tr-des-sha
    match address 120
    crypto isakmp key <sharedsecret> address 111.111.111.214
    !
    no access-list 120
    access-list 120 remark Site to Site VPN to John
    access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 120 deny ip 192.168.168.0 0.0.0.255 any
    !
    ! Matt
    crypto map cm-cryptomap 2 ipsec-isakmp
    set peer 111.111.112.53
    set transform-set tr-des-sha
    match address 121
    crypto isakmp key <sharedsecret> address 111.111.112.53
    !
    no access-list 121
    access-list 121 remark Site to Site VPN to Matt
    access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 121 deny ip 192.168.168.0 0.0.0.255 any
    !
    ! Paul
    ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
    crypto map cm-cryptomap 3 ipsec-isakmp
    set peer 111.111.113.157
    set transform-set tr-des-md5
    match address 122
    crypto isakmp key <sharedsecret> address 111.111.113.157
    !
    no access-list 122
    access-list 122 remark Site to Site VPN to Paul
    access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    access-list 122 deny ip 192.168.255.0 0.0.0.255 any
    !
    ! Use a policy map to prevent NAT through the VPN by routing the VPN
    ! traffic through the loopback adapter
    !
    route-map nonat permit 10
    match ip address 129
    set ip next-hop 1.1.1.2
    !
    no access-list 129
    access-list 129 remark Route VPN traffic through the loopback adapter
    access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    !
    ! Interfaces
    ! ==========
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface Ethernet0
    ip address 192.168.168.254 255.255.255.0
    ip nat inside
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname <username>
    ppp chap password <password>
    ppp pap sent-username <username> password <password>
    crypto map cm-cryptomap
    no ip route-cache
    no ip mroute-cache
    hold-queue 224 in
    !
    ! NAT
    ! ===
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static 192.168.168.14 123.123.123.82
    ip nat inside source static 192.168.168.2 123.123.123.83
    ip nat inside source static 192.168.168.4 123.123.123.84
    !
    no access-list 102
    access-list 102 remark Addresses to NAT behind router
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
    access-list 102 permit ip 192.168.168.0 0.0.0.255 any
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.255.0 255.255.255.0 192.168.168.15
    ip http server
    no ip http secure-server
    !
    ! Access lists
    ! ============
    !
    no access-list 23
    access-list 23 remark Allowed to manage the router
    access-list 23 permit 192.168.168.0 0.0.0.127
    !
    no access-list 111
    access-list 111 remark Incoming access from the Internet
    ! ping
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    ! VPN
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit gre any any
    ! Allow VPN traffic
    access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    ! Hawthorn through ISA
    access-list 111 permit tcp any host 123.123.123.82 eq 21
    access-list 111 permit tcp any host 123.123.123.82 eq 25
    access-list 111 permit tcp any host 123.123.123.82 eq 80
    access-list 111 permit tcp any host 123.123.123.82 eq 443
    access-list 111 permit tcp any host 123.123.123.82 eq 53
    access-list 111 permit udp any host 123.123.123.82 eq 53
    access-list 111 permit tcp any host 123.123.123.82 eq 6666
    ! Redwood through ISA
    access-list 111 permit tcp any host 123.123.123.83 eq 80
    access-list 111 permit tcp any host 123.123.123.83 eq 110
    access-list 111 permit tcp any host 123.123.123.83 eq 143
    access-list 111 permit tcp any host 123.123.123.83 eq 443
    ! Conker direct
    access-list 111 permit tcp any host 123.123.123.84 eq 69
    access-list 111 permit udp any host 123.123.123.84 eq 69
    ! Allow incoming DNS
    access-list 111 permit udp any any eq 53
    ! Allow incoming NTP
    access-list 111 permit udp any any eq 123
    ! Deny the rest
    access-list 111 deny ip any any log
    !
    dialer-list 1 protocol ip permit
    !
    ! SNMP
    ! ====
    snmp-server community public ro
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end
    John Rennie, Oct 11, 2006
    #1
    1. Advertising

  2. John Rennie

    user Guest

    "John Rennie" <> wrote in message
    news:...
    >A couple of our lads installed uTorrent on their PCs, and very quickly we
    > started having problems with DNS lookups failing. Eventually I traced it
    > to a
    > NAT problem on our 837 router. The size of the NAT table (from show ip nat
    > statistics) would suddenly jump to about 1500 entries, all UDP, and at
    > that
    > point DNS lookups to external servers would fail and wouldn't work again
    > until
    > the router was reloaded.
    >
    > Is this sort of thing normal? I use uTorrent at home behind a 837 and I've
    > never encountered a problem. However at work it was quite reproducible.
    > Using
    > a packet sniffer I could actually watch the big burst of UDP packets from
    > the
    > PCs running uTorrent and I could see the NAT table filling up at the same
    > time, and DNS then stop working. I didn't check whether it was just DNS
    > that
    > was affected or whether other UDP traffic was killed too.
    >
    > I listed the router config. The guilty PCs weren't any of the statically
    > NATed
    > addresses, so they would have been dynamically NATed to the router's
    > address.
    >
    > JR
    >
    > ----8<----
    >
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname Router
    > !
    > logging buffered 4096
    > enable secret <password>
    > !
    > username admin secret 5 <password>
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > !
    > ! PPTP dialins
    > ! ============
    > !
    > vpdn enable
    > !
    > vpdn-group pptp
    > ! Default PPTP VPDN group
    > accept-dialin
    > protocol pptp
    > virtual-template 1
    > exit
    > exit
    > !
    > interface Virtual-Template1
    > ip unnumbered Ethernet0
    > peer default ip address pool default
    > ppp encrypt mppe auto
    > ppp authentication ms-chap chap pap
    > !
    > ip local pool default 192.168.168.224 192.168.168.239
    > !
    > ! VPNs
    > ! ====
    > !
    > crypto isakmp policy 1
    > encryption des
    > hash sha
    > authentication pre-share
    > group 1
    > lifetime 28800
    > !
    > crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    > crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    > crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    > crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    > !
    > ! JR
    > crypto map cm-cryptomap 1 ipsec-isakmp
    > set peer 111.111.111.214
    > set transform-set tr-des-sha
    > match address 120
    > crypto isakmp key <sharedsecret> address 111.111.111.214
    > !
    > no access-list 120
    > access-list 120 remark Site to Site VPN to John
    > access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 120 deny ip 192.168.168.0 0.0.0.255 any
    > !
    > ! Matt
    > crypto map cm-cryptomap 2 ipsec-isakmp
    > set peer 111.111.112.53
    > set transform-set tr-des-sha
    > match address 121
    > crypto isakmp key <sharedsecret> address 111.111.112.53
    > !
    > no access-list 121
    > access-list 121 remark Site to Site VPN to Matt
    > access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 121 deny ip 192.168.168.0 0.0.0.255 any
    > !
    > ! Paul
    > ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
    > crypto map cm-cryptomap 3 ipsec-isakmp
    > set peer 111.111.113.157
    > set transform-set tr-des-md5
    > match address 122
    > crypto isakmp key <sharedsecret> address 111.111.113.157
    > !
    > no access-list 122
    > access-list 122 remark Site to Site VPN to Paul
    > access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > access-list 122 deny ip 192.168.255.0 0.0.0.255 any
    > !
    > ! Use a policy map to prevent NAT through the VPN by routing the VPN
    > ! traffic through the loopback adapter
    > !
    > route-map nonat permit 10
    > match ip address 129
    > set ip next-hop 1.1.1.2
    > !
    > no access-list 129
    > access-list 129 remark Route VPN traffic through the loopback adapter
    > access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > !
    > ! Interfaces
    > ! ==========
    > !
    > interface Loopback0
    > ip address 1.1.1.1 255.255.255.0
    > !
    > interface Ethernet0
    > ip address 192.168.168.254 255.255.255.0
    > ip nat inside
    > ip route-cache policy
    > ip policy route-map nonat
    > no ip mroute-cache
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no ip mroute-cache
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap pap callin
    > ppp chap hostname <username>
    > ppp chap password <password>
    > ppp pap sent-username <username> password <password>
    > crypto map cm-cryptomap
    > no ip route-cache
    > no ip mroute-cache
    > hold-queue 224 in
    > !
    > ! NAT
    > ! ===
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static 192.168.168.14 123.123.123.82
    > ip nat inside source static 192.168.168.2 123.123.123.83
    > ip nat inside source static 192.168.168.4 123.123.123.84
    > !
    > no access-list 102
    > access-list 102 remark Addresses to NAT behind router
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
    > access-list 102 permit ip 192.168.168.0 0.0.0.255 any
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip route 192.168.255.0 255.255.255.0 192.168.168.15
    > ip http server
    > no ip http secure-server
    > !
    > ! Access lists
    > ! ============
    > !
    > no access-list 23
    > access-list 23 remark Allowed to manage the router
    > access-list 23 permit 192.168.168.0 0.0.0.127
    > !
    > no access-list 111
    > access-list 111 remark Incoming access from the Internet
    > ! ping
    > access-list 111 permit icmp any any administratively-prohibited
    > access-list 111 permit icmp any any echo
    > access-list 111 permit icmp any any echo-reply
    > access-list 111 permit icmp any any packet-too-big
    > access-list 111 permit icmp any any time-exceeded
    > access-list 111 permit icmp any any traceroute
    > access-list 111 permit icmp any any unreachable
    > ! VPN
    > access-list 111 permit esp any any
    > access-list 111 permit udp any any eq isakmp
    > access-list 111 permit tcp any any eq 1723
    > access-list 111 permit gre any any
    > ! Allow VPN traffic
    > access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    > access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    > access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    > ! Hawthorn through ISA
    > access-list 111 permit tcp any host 123.123.123.82 eq 21
    > access-list 111 permit tcp any host 123.123.123.82 eq 25
    > access-list 111 permit tcp any host 123.123.123.82 eq 80
    > access-list 111 permit tcp any host 123.123.123.82 eq 443
    > access-list 111 permit tcp any host 123.123.123.82 eq 53
    > access-list 111 permit udp any host 123.123.123.82 eq 53
    > access-list 111 permit tcp any host 123.123.123.82 eq 6666
    > ! Redwood through ISA
    > access-list 111 permit tcp any host 123.123.123.83 eq 80
    > access-list 111 permit tcp any host 123.123.123.83 eq 110
    > access-list 111 permit tcp any host 123.123.123.83 eq 143
    > access-list 111 permit tcp any host 123.123.123.83 eq 443
    > ! Conker direct
    > access-list 111 permit tcp any host 123.123.123.84 eq 69
    > access-list 111 permit udp any host 123.123.123.84 eq 69
    > ! Allow incoming DNS
    > access-list 111 permit udp any any eq 53
    > ! Allow incoming NTP
    > access-list 111 permit udp any any eq 123
    > ! Deny the rest
    > access-list 111 deny ip any any log
    > !
    > dialer-list 1 protocol ip permit
    > !
    > ! SNMP
    > ! ====
    > snmp-server community public ro
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > !
    > end


    I probably can't be of too much help as I'm not that experienced though I
    run an 837 here, and BitTorrent (uTorrent client) on occasion, and have
    found it can cause massive NAT tables if left unchecked (which I've seen
    consume all available DRAM). I use the command 'ip nat translation
    max-entries 2048' to place a limit here and see no problems occur when
    running with this many translations in use. It seems low to me the 1500
    number you mention as I don't have any problems with this many (possibly a
    lack of available DRAM on your side?).

    Oddly enough I've not had any problems with the 837 and the BitTorrent
    protocol... other than YESTERDAY... where for some reason the router kept
    'dying', requiring a reload to fix, in that after a period of time I was
    losing net access completely other than with already established
    connections. It wasn't a DNS issue this though I don't believe as I
    couldn't even traceroute, or access a website by IP address, from inside the
    LAN. The router, however, had no problem tracing a remote site from console
    (IOS 'trace' command). It wasn't a memory issue either.

    It's a mystery to me what happened exactly yesterday as this hasn't happened
    before. I did recently remove a line; 'ip nat translation tcp-timeout 900'
    from my configuration though, so maybe this had something to do with it (?).
    user, Oct 11, 2006
    #2
    1. Advertising

  3. John Rennie

    user Guest

    "user" <user@localhost> wrote in message
    news:452d5726$0$11070$...
    >
    > "John Rennie" <> wrote in message
    > news:...
    >>A couple of our lads installed uTorrent on their PCs, and very quickly we
    >> started having problems with DNS lookups failing. Eventually I traced it
    >> to a
    >> NAT problem on our 837 router. The size of the NAT table (from show ip
    >> nat
    >> statistics) would suddenly jump to about 1500 entries, all UDP, and at
    >> that
    >> point DNS lookups to external servers would fail and wouldn't work again
    >> until
    >> the router was reloaded.
    >>
    >> Is this sort of thing normal? I use uTorrent at home behind a 837 and
    >> I've
    >> never encountered a problem. However at work it was quite reproducible.
    >> Using
    >> a packet sniffer I could actually watch the big burst of UDP packets from
    >> the
    >> PCs running uTorrent and I could see the NAT table filling up at the same
    >> time, and DNS then stop working. I didn't check whether it was just DNS
    >> that
    >> was affected or whether other UDP traffic was killed too.
    >>
    >> I listed the router config. The guilty PCs weren't any of the statically
    >> NATed
    >> addresses, so they would have been dynamically NATed to the router's
    >> address.
    >>
    >> JR
    >>
    >> ----8<----
    >>
    >> no service pad
    >> service timestamps debug uptime
    >> service timestamps log uptime
    >> service password-encryption
    >> !
    >> hostname Router
    >> !
    >> logging buffered 4096
    >> enable secret <password>
    >> !
    >> username admin secret 5 <password>
    >> no aaa new-model
    >> ip subnet-zero
    >> !
    >> !
    >> ip inspect name myfw cuseeme timeout 3600
    >> ip inspect name myfw ftp timeout 3600
    >> ip inspect name myfw rcmd timeout 3600
    >> ip inspect name myfw realaudio timeout 3600
    >> ip inspect name myfw tftp timeout 30
    >> ip inspect name myfw udp timeout 15
    >> ip inspect name myfw tcp timeout 3600
    >> ip inspect name myfw h323 timeout 3600
    >> !
    >> ! PPTP dialins
    >> ! ============
    >> !
    >> vpdn enable
    >> !
    >> vpdn-group pptp
    >> ! Default PPTP VPDN group
    >> accept-dialin
    >> protocol pptp
    >> virtual-template 1
    >> exit
    >> exit
    >> !
    >> interface Virtual-Template1
    >> ip unnumbered Ethernet0
    >> peer default ip address pool default
    >> ppp encrypt mppe auto
    >> ppp authentication ms-chap chap pap
    >> !
    >> ip local pool default 192.168.168.224 192.168.168.239
    >> !
    >> ! VPNs
    >> ! ====
    >> !
    >> crypto isakmp policy 1
    >> encryption des
    >> hash sha
    >> authentication pre-share
    >> group 1
    >> lifetime 28800
    >> !
    >> crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    >> crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    >> crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    >> crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    >> !
    >> ! JR
    >> crypto map cm-cryptomap 1 ipsec-isakmp
    >> set peer 111.111.111.214
    >> set transform-set tr-des-sha
    >> match address 120
    >> crypto isakmp key <sharedsecret> address 111.111.111.214
    >> !
    >> no access-list 120
    >> access-list 120 remark Site to Site VPN to John
    >> access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    >> access-list 120 deny ip 192.168.168.0 0.0.0.255 any
    >> !
    >> ! Matt
    >> crypto map cm-cryptomap 2 ipsec-isakmp
    >> set peer 111.111.112.53
    >> set transform-set tr-des-sha
    >> match address 121
    >> crypto isakmp key <sharedsecret> address 111.111.112.53
    >> !
    >> no access-list 121
    >> access-list 121 remark Site to Site VPN to Matt
    >> access-list 121 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    >> access-list 121 deny ip 192.168.168.0 0.0.0.255 any
    >> !
    >> ! Paul
    >> ! Use the transform tr-des-md5 because the bloody Vigors won't do SHA1
    >> crypto map cm-cryptomap 3 ipsec-isakmp
    >> set peer 111.111.113.157
    >> set transform-set tr-des-md5
    >> match address 122
    >> crypto isakmp key <sharedsecret> address 111.111.113.157
    >> !
    >> no access-list 122
    >> access-list 122 remark Site to Site VPN to Paul
    >> access-list 122 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    >> access-list 122 deny ip 192.168.255.0 0.0.0.255 any
    >> !
    >> ! Use a policy map to prevent NAT through the VPN by routing the VPN
    >> ! traffic through the loopback adapter
    >> !
    >> route-map nonat permit 10
    >> match ip address 129
    >> set ip next-hop 1.1.1.2
    >> !
    >> no access-list 129
    >> access-list 129 remark Route VPN traffic through the loopback adapter
    >> access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    >> access-list 129 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    >> access-list 129 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    >> !
    >> ! Interfaces
    >> ! ==========
    >> !
    >> interface Loopback0
    >> ip address 1.1.1.1 255.255.255.0
    >> !
    >> interface Ethernet0
    >> ip address 192.168.168.254 255.255.255.0
    >> ip nat inside
    >> ip route-cache policy
    >> ip policy route-map nonat
    >> no ip mroute-cache
    >> hold-queue 100 out
    >> !
    >> interface ATM0
    >> no ip address
    >> no ip mroute-cache
    >> atm vc-per-vp 64
    >> no atm ilmi-keepalive
    >> pvc 0/38
    >> encapsulation aal5mux ppp dialer
    >> dialer pool-member 1
    >> !
    >> dsl operating-mode auto
    >> !
    >> interface Dialer1
    >> ip address negotiated
    >> ip access-group 111 in
    >> ip nat outside
    >> ip inspect myfw out
    >> encapsulation ppp
    >> dialer pool 1
    >> dialer-group 1
    >> ppp authentication chap pap callin
    >> ppp chap hostname <username>
    >> ppp chap password <password>
    >> ppp pap sent-username <username> password <password>
    >> crypto map cm-cryptomap
    >> no ip route-cache
    >> no ip mroute-cache
    >> hold-queue 224 in
    >> !
    >> ! NAT
    >> ! ===
    >> !
    >> ip nat inside source list 102 interface Dialer1 overload
    >> ip nat inside source static 192.168.168.14 123.123.123.82
    >> ip nat inside source static 192.168.168.2 123.123.123.83
    >> ip nat inside source static 192.168.168.4 123.123.123.84
    >> !
    >> no access-list 102
    >> access-list 102 remark Addresses to NAT behind router
    >> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    >> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    >> access-list 102 deny ip 192.168.168.0 0.0.0.255 192.168.130.0 0.0.0.255
    >> access-list 102 permit ip 192.168.168.0 0.0.0.255 any
    >> !
    >> ip classless
    >> ip route 0.0.0.0 0.0.0.0 Dialer1
    >> ip route 192.168.255.0 255.255.255.0 192.168.168.15
    >> ip http server
    >> no ip http secure-server
    >> !
    >> ! Access lists
    >> ! ============
    >> !
    >> no access-list 23
    >> access-list 23 remark Allowed to manage the router
    >> access-list 23 permit 192.168.168.0 0.0.0.127
    >> !
    >> no access-list 111
    >> access-list 111 remark Incoming access from the Internet
    >> ! ping
    >> access-list 111 permit icmp any any administratively-prohibited
    >> access-list 111 permit icmp any any echo
    >> access-list 111 permit icmp any any echo-reply
    >> access-list 111 permit icmp any any packet-too-big
    >> access-list 111 permit icmp any any time-exceeded
    >> access-list 111 permit icmp any any traceroute
    >> access-list 111 permit icmp any any unreachable
    >> ! VPN
    >> access-list 111 permit esp any any
    >> access-list 111 permit udp any any eq isakmp
    >> access-list 111 permit tcp any any eq 1723
    >> access-list 111 permit gre any any
    >> ! Allow VPN traffic
    >> access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.128.0 0.0.0.255
    >> access-list 111 permit ip 192.168.168.0 0.0.0.255 192.168.129.0 0.0.0.255
    >> access-list 111 permit ip 192.168.255.0 0.0.0.255 192.168.130.0 0.0.0.255
    >> ! Hawthorn through ISA
    >> access-list 111 permit tcp any host 123.123.123.82 eq 21
    >> access-list 111 permit tcp any host 123.123.123.82 eq 25
    >> access-list 111 permit tcp any host 123.123.123.82 eq 80
    >> access-list 111 permit tcp any host 123.123.123.82 eq 443
    >> access-list 111 permit tcp any host 123.123.123.82 eq 53
    >> access-list 111 permit udp any host 123.123.123.82 eq 53
    >> access-list 111 permit tcp any host 123.123.123.82 eq 6666
    >> ! Redwood through ISA
    >> access-list 111 permit tcp any host 123.123.123.83 eq 80
    >> access-list 111 permit tcp any host 123.123.123.83 eq 110
    >> access-list 111 permit tcp any host 123.123.123.83 eq 143
    >> access-list 111 permit tcp any host 123.123.123.83 eq 443
    >> ! Conker direct
    >> access-list 111 permit tcp any host 123.123.123.84 eq 69
    >> access-list 111 permit udp any host 123.123.123.84 eq 69
    >> ! Allow incoming DNS
    >> access-list 111 permit udp any any eq 53
    >> ! Allow incoming NTP
    >> access-list 111 permit udp any any eq 123
    >> ! Deny the rest
    >> access-list 111 deny ip any any log
    >> !
    >> dialer-list 1 protocol ip permit
    >> !
    >> ! SNMP
    >> ! ====
    >> snmp-server community public ro
    >> !
    >> line con 0
    >> exec-timeout 120 0
    >> no modem enable
    >> stopbits 1
    >> line aux 0
    >> line vty 0 4
    >> access-class 23 in
    >> exec-timeout 120 0
    >> login local
    >> length 0
    >> !
    >> scheduler max-task-time 5000
    >> !
    >> end

    >
    > I probably can't be of too much help as I'm not that experienced though I
    > run an 837 here, and BitTorrent (uTorrent client) on occasion, and have
    > found it can cause massive NAT tables if left unchecked (which I've seen
    > consume all available DRAM). I use the command 'ip nat translation
    > max-entries 2048' to place a limit here and see no problems occur when
    > running with this many translations in use. It seems low to me the 1500
    > number you mention as I don't have any problems with this many (possibly a
    > lack of available DRAM on your side?).
    >
    > Oddly enough I've not had any problems with the 837 and the BitTorrent
    > protocol... other than YESTERDAY... where for some reason the router kept
    > 'dying', requiring a reload to fix, in that after a period of time I was
    > losing net access completely other than with already established
    > connections. It wasn't a DNS issue this though I don't believe as I
    > couldn't even traceroute, or access a website by IP address, from inside
    > the LAN. The router, however, had no problem tracing a remote site from
    > console (IOS 'trace' command). It wasn't a memory issue either.
    >
    > It's a mystery to me what happened exactly yesterday as this hasn't
    > happened before. I did recently remove a line; 'ip nat translation
    > tcp-timeout 900' from my configuration though, so maybe this had something
    > to do with it (?).


    Followup: I just ran into this NAT problem again I think. Net connection
    stopped working correctly although I didn't have BitTorrent running at the
    time, though executing the command 'show ip nat statistics' in the router
    showed all 2048 NAT translations in use, probably due to other services I
    have running here. To clear this fault, rather than perform a reload, I
    just cleared out the translations tables using 'clear ip nat translation *'
    which brought back the connection immediately.

    I don't know if that's similar to the problem you're seeing there though you
    might want to try clearing those NAT entries out to see if it cures the loss
    of connectivity. I'm going to re-add the 'tcp-timeout' command I removed
    recently (ip nat translation tcp-timeout 900) as I guess this was helping
    keep this problem from ocurring. You might want to look into the various
    timeouts and have a play with them unless somebody else knows a better way
    of preventing this (assuming it's causing the problem of course).

    The Default NAT entry timeout values are;

    timeout: 86,400 seconds (24 hours)
    udp-timeout: 300 seconds (5 minutes)
    dns-timeout: 60 seconds (1 minute)
    tcp-timeout: 86,400 seconds (24 hours)
    finrst-timeout: 60 seconds (1 minute)
    icmp-timeout: 60 seconds (1 minute)
    pptp-timeout: 86,400 seconds (24 hours)
    syn-timeout: 60 seconds (1 minute)
    seconds: 0 (never)

    hth.
    user, Oct 12, 2006
    #3
  4. John Rennie

    John Rennie Guest

    Thanks, it does sound as if your experience is similar. One contributing
    factor may be that at home I statically NAT (strictly speaking PAT I suppose)
    the BitTorrent port to allow incoming connections, while at the office the
    port isn't statically NATed, and the lads may not have set up uTorrent
    correctly for this scenario.

    I've fixed the problem by banning uTorrent! However I'll have a play with the
    settings you suggest and see what effect is has.

    JR

    On Thu, 12 Oct 2006 01:16:16 +0100, "user" <user@localhost> wrote:

    >
    >"user" <user@localhost> wrote in message
    >news:452d5726$0$11070$...
    >>
    >> "John Rennie" <> wrote in message
    >> news:...
    >>>A couple of our lads installed uTorrent on their PCs, and very quickly we
    >>> started having problems with DNS lookups failing. Eventually I traced it
    >>> to a
    >>> NAT problem on our 837 router. The size of the NAT table (from show ip
    >>> nat
    >>> statistics) would suddenly jump to about 1500 entries, all UDP, and at
    >>> that
    >>> point DNS lookups to external servers would fail and wouldn't work again
    >>> until
    >>> the router was reloaded.
    >>>
    >>> Is this sort of thing normal? I use uTorrent at home behind a 837 and
    >>> I've
    >>> never encountered a problem. However at work it was quite reproducible.
    >>> Using
    >>> a packet sniffer I could actually watch the big burst of UDP packets from
    >>> the
    >>> PCs running uTorrent and I could see the NAT table filling up at the same
    >>> time, and DNS then stop working. I didn't check whether it was just DNS
    >>> that
    >>> was affected or whether other UDP traffic was killed too.
    >>>
    >>> I listed the router config. The guilty PCs weren't any of the statically
    >>> NATed
    >>> addresses, so they would have been dynamically NATed to the router's
    >>> address.
    >>>
    >>> JR
    >>>

    <snip>
    >> I probably can't be of too much help as I'm not that experienced though I
    >> run an 837 here, and BitTorrent (uTorrent client) on occasion, and have
    >> found it can cause massive NAT tables if left unchecked (which I've seen
    >> consume all available DRAM). I use the command 'ip nat translation
    >> max-entries 2048' to place a limit here and see no problems occur when
    >> running with this many translations in use. It seems low to me the 1500
    >> number you mention as I don't have any problems with this many (possibly a
    >> lack of available DRAM on your side?).
    >>
    >> Oddly enough I've not had any problems with the 837 and the BitTorrent
    >> protocol... other than YESTERDAY... where for some reason the router kept
    >> 'dying', requiring a reload to fix, in that after a period of time I was
    >> losing net access completely other than with already established
    >> connections. It wasn't a DNS issue this though I don't believe as I
    >> couldn't even traceroute, or access a website by IP address, from inside
    >> the LAN. The router, however, had no problem tracing a remote site from
    >> console (IOS 'trace' command). It wasn't a memory issue either.
    >>
    >> It's a mystery to me what happened exactly yesterday as this hasn't
    >> happened before. I did recently remove a line; 'ip nat translation
    >> tcp-timeout 900' from my configuration though, so maybe this had something
    >> to do with it (?).

    >
    >Followup: I just ran into this NAT problem again I think. Net connection
    >stopped working correctly although I didn't have BitTorrent running at the
    >time, though executing the command 'show ip nat statistics' in the router
    >showed all 2048 NAT translations in use, probably due to other services I
    >have running here. To clear this fault, rather than perform a reload, I
    >just cleared out the translations tables using 'clear ip nat translation *'
    >which brought back the connection immediately.
    >
    >I don't know if that's similar to the problem you're seeing there though you
    >might want to try clearing those NAT entries out to see if it cures the loss
    >of connectivity. I'm going to re-add the 'tcp-timeout' command I removed
    >recently (ip nat translation tcp-timeout 900) as I guess this was helping
    >keep this problem from ocurring. You might want to look into the various
    >timeouts and have a play with them unless somebody else knows a better way
    >of preventing this (assuming it's causing the problem of course).
    >
    >The Default NAT entry timeout values are;
    >
    >timeout: 86,400 seconds (24 hours)
    >udp-timeout: 300 seconds (5 minutes)
    >dns-timeout: 60 seconds (1 minute)
    >tcp-timeout: 86,400 seconds (24 hours)
    >finrst-timeout: 60 seconds (1 minute)
    >icmp-timeout: 60 seconds (1 minute)
    >pptp-timeout: 86,400 seconds (24 hours)
    >syn-timeout: 60 seconds (1 minute)
    >seconds: 0 (never)
    >
    >hth.
    >
    >
    John Rennie, Oct 12, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,619
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,569
  3. Richard Antony Burton
    Replies:
    0
    Views:
    6,036
    Richard Antony Burton
    Jan 5, 2004
  4. Replies:
    4
    Views:
    4,110
  5. Replies:
    0
    Views:
    1,577
Loading...

Share This Page