Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
5
Helpful
3
Replies

ISM CGN NAT44 exclude single IP address?

Asad Ul Islam
Level 1
Level 1

‎11-04-2014 09:44 PM

friends,

 

i am running CGN with NAT44 on ISM module.  Problem i am facing is that whenever we face spamming by miscreant user in our network, our upstream blocks the public ip pool on which we perform nat44 translation, resulting all nat44 users to face outage. until we change the address-pool

Is there anyway to exclude one IP Address from address-pool ?? or define multiple address pools?

 

following is my configuration;

 

service cgn cgn
 service-location preferred-active 0/1/CPU0
 service-type nat44 nat44
  portlimit 512
  alg ActiveFTP
  alg rtsp
  alg pptpAlg
  inside-vrf inside-lan1-inside
   map outside-vrf inside-lan1-outside address-pool 101.53.118.184/24
  !
  protocol tcp
   session active timeout 300
  !
 !
!
end

Labels:
0 Helpful
3 Replies 3

Marks Maslovs
Level 1
Level 1

‎01-15-2015 05:59 AM

Hi there!

I am also looking for any info regarding VSM/ISM address-pool configuration.

Is it possible, or when it could be possible to define few pools for inside-vrf ?

 

Thanks!

0 Helpful

Asad Ul Islam
Level 1
Level 1
In response to Marks Maslovs

‎01-15-2015 08:47 PM

I asked this question because the problem we is that  if one subscriber generates spam. Our upstream black-hole that IP address. & all others subscribers who were natted to that IP also face outage.   & Since i cannot exclude Single IP. I have to change whole /24 address Pool every time. 

For you question regarding multiple pools. I think you can achieve this by creating multiple inside VRF and each inside VRF can have a separate pool (ofcourse you will have to use ABF to route traffic of subscriber chunk to different vrfs)

 

 

0 Helpful

Marks Maslovs
Level 1
Level 1
In response to Asad Ul Islam

‎01-16-2015 12:20 AM

Yes, we are facing same problems.

Regarding spam, we've decided to allow only smtp traffic, with destination within our own country, because mostly, all spam traffic goes abroad. That helps us to not get any of our IP addreses black-holed.

But, there is another case. When one of our IP addresses got DDOS attacked. Then our upstream providers sometimes block that IP. That depends on how big malicios traffic is, because sometimes it just overuses our upstream links.

Yes, the solution could be, to create a lot of inside vrf's, but there would be to much addtional configs. We have now 6 inside-vrf's (ABF is used). Creating more vrf's? not sure.

It could be much more easier to simply remove one blocked IP from the pool, rather then kill all existing millions of sessions from pool (/26) and config a new one.

https://supportforums.cisco.com/discussion/11908931/ism-cgn-serviceapp-and-address-pool-limitations

Here was told that this feature will come in future release..So we are very interested in it :))

Customers Also Viewed These Support Documents