Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISM CGN NAT44 exclude single IP address?

friends,

 

i am running CGN with NAT44 on ISM module.  Problem i am facing is that whenever we face spamming by miscreant user in our network, our upstream blocks the public ip pool on which we perform nat44 translation, resulting all nat44 users to face outage. until we change the address-pool

Is there anyway to exclude one IP Address from address-pool ?? or define multiple address pools?

 

following is my configuration;

 

service cgn cgn
 service-location preferred-active 0/1/CPU0
 service-type nat44 nat44
  portlimit 512
  alg ActiveFTP
  alg rtsp
  alg pptpAlg
  inside-vrf inside-lan1-inside
   map outside-vrf inside-lan1-outside address-pool 101.53.118.184/24
  !
  protocol tcp
   session active timeout 300
  !
 !
!
end

  • XR OS and Platforms
3 REPLIES
New Member

Hi there!I am also looking

Hi there!

I am also looking for any info regarding VSM/ISM address-pool configuration.

Is it possible, or when it could be possible to define few pools for inside-vrf ?

 

Thanks!

New Member

I asked this question because

I asked this question because the problem we is that  if one subscriber generates spam. Our upstream black-hole that IP address. & all others subscribers who were natted to that IP also face outage.   & Since i cannot exclude Single IP. I have to change whole /24 address Pool every time. 

For you question regarding multiple pools. I think you can achieve this by creating multiple inside VRF and each inside VRF can have a separate pool (ofcourse you will have to use ABF to route traffic of subscriber chunk to different vrfs)

 

 

New Member

Yes, we are facing same

Yes, we are facing same problems.

Regarding spam, we've decided to allow only smtp traffic, with destination within our own country, because mostly, all spam traffic goes abroad. That helps us to not get any of our IP addreses black-holed.

But, there is another case. When one of our IP addresses got DDOS attacked. Then our upstream providers sometimes block that IP. That depends on how big malicios traffic is, because sometimes it just overuses our upstream links.

Yes, the solution could be, to create a lot of inside vrf's, but there would be to much addtional configs. We have now 6 inside-vrf's (ABF is used). Creating more vrf's? not sure.

It could be much more easier to simply remove one blocked IP from the pool, rather then kill all existing millions of sessions from pool (/26) and config a new one.

https://supportforums.cisco.com/discussion/11908931/ism-cgn-serviceapp-and-address-pool-limitations

Here was told that this feature will come in future release..So we are very interested in it :))

73
Views
5
Helpful
3
Replies