The Bulk Logging and
Port Block Allocation feature allocates ports to users in blocks, instead of
allocating individual ports. When a session is started from inside the network,
instead of allocating a single global IP address and a global port, multiple
global ports of a single global IP address are allocated for Network Address
Translation (NAT) of traffic. Based on the volume of translations, additional
blocks of ports can be allocated.
To allocate port
sets, you can use either the consecutive port-set method or the scattered
port-set method. In the consecutive port-set method, a user is allocated a set
of ports with consecutive port numbers. It is easy to determine the port
numbers in the consecutive method and this as a result, can be a security
threat.
The Bulk Logging and
Port Block Allocation feature uses the scattered port-set method, which allows
you to define a start port number, a step value, and the number of ports to
allocate. For example, if the starting port number is 4000, the step value is
four, and the number of ports is 512, then the step value of four is added to
4000 to get the second port number. Four is added again to 4004 to get the
third port number and this process repeats until you have 512 ports in the port
set. This method of port-set allocation provides better security.
Some application
layer gateways (ALGs) require two consecutive global ports to operate
correctly. These ALGs are supported with this feature only when a step value of
one is configured, which allocates a consecutive port set.
You must enable NAT
paired-address pooling support for this feature to work. This feature also
supports Point-to-Point Tunneling Protocol (PPTP).
Note
|
This feature is
supported only in carrier-grade NAT (CGN) mode; therefore only source
information is logged when this feature is configured. Destination information
is not logged. For more information about CGN, see the “Carrier-Grade Network
Address Translation" module in
IP Addressing:
NAT Configuration Guide.
|