Changing the PAT Default Inactivity Timeout Timers

Sep 09,2009 by alperen

Changing the PAT Default Inactivity Timeout Timers

When port translation (PAT) is configured, a finer control exists over specific translation entries because each entry contains more context about the traffic using it. A separate entry is made for each timer. The syntax is

Rtr1(config)#ip nat translation {udp-timeout | dns-timeout | tcp-timeout | finrst-timeout} seconds

Rtr1(config)#no ip nat translation {udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}

udp-timeout	Applies to the UDP port. Default is 300 seconds (five minutes).
dns-timeout	Applies to DNS connections. Default is 60 seconds.
tcp-timeout	Applies to the TCP port. Default is 86,400 seconds (24 hours).
finrst-timeout	To set the timeout value after a Finish or Reset TCP packet before terminating a connection. Default is 60 seconds.
seconds	Seconds after which the specified port translation times out.

Examples:

Rtr1(confif)#ip nat translation udp-timeout 120
Rtr1(confif)#ip nat translation dns-timeout 30
Rtr1(confif)#ip nat translation tcp-timeout 600

Dynamic NAT sessions can only be initiated by an internal host. Initiating a NAT translation from outside the network is impossible. To some extent, this adds a level of security to the internal network. This might also help explain why the dynamic timeout timer for overload (PAT) sessions is so short. The window of opportunity stays open just long enough to make sure legitimate replies like web pages, FTP and TFTP copies, and ICMP messages can get in.