Cisco Cisco NAC Appliance 4.1.0
5-38
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
NAT Session Throttle
5.
Click Update.
NAT Session Throttle
You can configure a throttle/threshold on a per-host basis when the Clean Access Server operates as a
NAT Gateway. This allows the CAS to restrict the maximum number of connections each host can open
at any one time and eliminate the chance of one host consuming all the connections (for example due to
a malicious user or a user with a worm).
NAT Gateway. This allows the CAS to restrict the maximum number of connections each host can open
at any one time and eliminate the chance of one host consuming all the connections (for example due to
a malicious user or a user with a worm).
1.
Go to Device Management > CCA Servers > Manage[CAS_IP] > Advanced > NAT
Figure 5-21
NAT Page
2.
Click the checkbox for Drop new connections when “max concurrent connections per host” is
reached to enable the NAT session throttle feature for new user connections.
reached to enable the NAT session throttle feature for new user connections.
When this option is checked, all new sessions will be dropped for a user if the total number of current
connections for the host exceeds the threshold set in the Max Concurrent Connections Per Host
field. For example, if an existing user has 300 connections open, then the administrator enables this
feature for a maximum of 100 connections per host, the user’s existing connections will not be
affected, but the user will not be able to open any new connections until the total number of
connections is less than 100.
connections for the host exceeds the threshold set in the Max Concurrent Connections Per Host
field. For example, if an existing user has 300 connections open, then the administrator enables this
feature for a maximum of 100 connections per host, the user’s existing connections will not be
affected, but the user will not be able to open any new connections until the total number of
connections is less than 100.
3.
Configure the following options:
–
Max Concurrent Connections Per Host —You can configure this threshold up to the
maximum value of 45535 connections. Typically, 256 or 512 connections should be sufficient
per host. If there are a lot of dropped connections for a user, you can increase the maximum
number of connections allowed per host in this field.
maximum value of 45535 connections. Typically, 256 or 512 connections should be sufficient
per host. If there are a lot of dropped connections for a user, you can increase the maximum
number of connections allowed per host in this field.
–
TCP Session Timeout (seconds)—This field sets the idle time for each connection. If the user
opens a connection (e.g. for Telnet) and the connection is idle past the number of seconds
configured in this field, the connection will be dropped.
opens a connection (e.g. for Telnet) and the connection is idle past the number of seconds
configured in this field, the connection will be dropped.
–
TCP Session Scan Interval (seconds)—This field sets the interval to scan the entire table of
NAT connections (up to 45,535 entries) to check which connections have timed out. For
example, if this value is 90 seconds, the table will be scanned every 90 seconds.
NAT connections (up to 45,535 entries) to check which connections have timed out. For
example, if this value is 90 seconds, the table will be scanned every 90 seconds.
4.
Click Update to save and activate settings on the CAS NAT gateway.
5.
For troubleshooting, the bottom of the page lists the current connection table for each host: