cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
756
Views
5
Helpful
3
Replies

ISM CGN NAT44 exclude single IP address?

Asad Ul Islam
Level 1
Level 1

friends,

 

i am running CGN with NAT44 on ISM module.  Problem i am facing is that whenever we face spamming by miscreant user in our network, our upstream blocks the public ip pool on which we perform nat44 translation, resulting all nat44 users to face outage. until we change the address-pool

Is there anyway to exclude one IP Address from address-pool ?? or define multiple address pools?

 

following is my configuration;

 

service cgn cgn
 service-location preferred-active 0/1/CPU0
 service-type nat44 nat44
  portlimit 512
  alg ActiveFTP
  alg rtsp
  alg pptpAlg
  inside-vrf inside-lan1-inside
   map outside-vrf inside-lan1-outside address-pool 101.53.118.184/24
  !
  protocol tcp
   session active timeout 300
  !
 !
!
end

3 Replies 3

Marks Maslovs
Level 1
Level 1

Hi there!

I am also looking for any info regarding VSM/ISM address-pool configuration.

Is it possible, or when it could be possible to define few pools for inside-vrf ?

 

Thanks!

I asked this question because the problem we is that  if one subscriber generates spam. Our upstream black-hole that IP address. & all others subscribers who were natted to that IP also face outage.   & Since i cannot exclude Single IP. I have to change whole /24 address Pool every time. 

For you question regarding multiple pools. I think you can achieve this by creating multiple inside VRF and each inside VRF can have a separate pool (ofcourse you will have to use ABF to route traffic of subscriber chunk to different vrfs)

 

 

Yes, we are facing same problems.

Regarding spam, we've decided to allow only smtp traffic, with destination within our own country, because mostly, all spam traffic goes abroad. That helps us to not get any of our IP addreses black-holed.

But, there is another case. When one of our IP addresses got DDOS attacked. Then our upstream providers sometimes block that IP. That depends on how big malicios traffic is, because sometimes it just overuses our upstream links.

Yes, the solution could be, to create a lot of inside vrf's, but there would be to much addtional configs. We have now 6 inside-vrf's (ABF is used). Creating more vrf's? not sure.

It could be much more easier to simply remove one blocked IP from the pool, rather then kill all existing millions of sessions from pool (/26) and config a new one.

https://supportforums.cisco.com/discussion/11908931/ism-cgn-serviceapp-and-address-pool-limitations

Here was told that this feature will come in future release..So we are very interested in it :))