Appendix A Sample NAT Configuration The following is a sample NAT configuration. configure license key "\ VER=1|C1M=SanDiskSDCFJ-4096|C1S=116904I0207E3107|DOI=1258470708|DOE=12\ HG=100000|FHE=Y|SIG=MC4CFQCf9f7bAibGKJWq69JaJMd5XowxVwIVALDFfUHAEUTokw" aaa default-domain subscriber radius aaa last-resort context subscriber radius gtpp single-source system hostname ABC123DEF456 autoconfirm clock timezone asia-calcutta crash enable encrypted url abc123def456ghi789 card 1 mode active psc exit card 2 mode active psc exit card 4 mode active psc exit require session recovery require active-charging context local interface SPIO1 ip address 1.2.3.4 255.255.255.0 exit server ftpd exit ssh key abc123def456ghi789abc123def456ghi789 len 777 type v2-dsa server sshd subsystem sftp exit server telnetd exit subscriber default exit administrator admin encrypted password abc123def456ghi789 ftp aaa group default exit gtpp group default exit ip route 0.0.0.0 0.0.0.0 2.3.4.5 SPIO1 exit port ethernet 24/1 no shutdown bind interface SPIO1 local exit ntp enable server 10.6.1.1 exit snmp engine-id local 123007e123275a8c123ff07ca49 active-charging service service_name nat allocation-failure send-icmp-dest-unreachable host-pool host1 ip range 3.4.5.6 to 4.5.6.7 exit host-pool host2 ip range 5.6.7.8 to 6.7.8.9 exit host-pool host3 ip range 7.8.9.0 to 8.9.0.1 exit ruledef ip_any ip any-match = TRUE exit ruledef rt_ftp tcp either-port = 21 rule-application routing exit ruledef rt_ftp_data tcp either-port = 20 rule-application routing exit ruledef rt_http tcp either-port = 80 rule-application routing exit ruledef rt_rtp rtp any-match = TRUE rule-application routing exit ruledef rt_rtsp tcp either-port = 554 rule-application routing exit access-ruledef fw_icmp icmp any-match = TRUE exit access-ruledef fw_tcp tcp any-match = TRUE exit access-ruledef fw_udp udp any-match = TRUE exit edr-format nbr_format1 attribute sn-correlation-id priority 1 rule-variable ip subscriber-ip-address priority 2 attribute sn-fa-correlation-id priority 3 attribute radius-fa-nas-ip-address priority 4 attribute radius-fa-nas-identifier priority 5 attribute radius-user-name priority 6 attribute radius-calling-station-id priority 7 attribute sn-nat-ip priority 8 attribute sn-nat-port-block-start priority 9 attribute sn-nat-port-block-end priority 10 attribute sn-nat-binding-timer priority 11 attribute sn-nat-subscribers-per-ip-address priority 12 attribute sn-nat-realm-name priority 13 attribute sn-nat-gmt-offset priority 14 attribute sn-nat-port-chunk-alloc-dealloc-flag priority 15 attribute sn-nat-port-chunk-alloc-time-gmt priority 16 attribute sn-nat-port-chunk-dealloc-time-gmt priority 17 attribute sn-nat-last-activity-time-gmt priority 18 exit udr-format udr_format attribute sn-start-time format MM/DD/YYYY-HH:MM:SS localtime priority 1 attribute sn-end-time format MM/DD/YYYY-HH:MM:SS localtime priority 2 attribute sn-correlation-id priority 4 attribute sn-content-vol bytes uplink priority 6 attribute sn-content-vol bytes downlink priority 7 attribute sn-fa-correlation-id priority 8 attribute radius-fa-nas-ip-address priority 9 attribute radius-fa-nas-identifier priority 10 attribute radius-user-name priority 11 attribute sn-content-vol pkts uplink priority 12 attribute sn-content-vol pkts downlink priority 13 attribute sn-group-id priority 14 attribute sn-content-id priority 15 exit charging-action ca_nothing content-id 20 exit bandwidth-policy bw1 exit bandwidth-policy bw2 exit rulebase base_1 tcp packets-out-of-order timeout 30000 billing-records udr udr-format udr_format action priority 1 ruledef ip_any charging-action ca_nothing route priority 1 ruledef rt_ftp analyzer ftp-control route priority 10 ruledef rt_ftp_data analyzer ftp-data route priority 20 ruledef rt_rtsp analyzer rtsp route priority 30 ruledef rt_rtp analyzer rtp route priority 40 ruledef rt_http analyzer http rtp dynamic-flow-detection bandwidth default-policy bw1 fw-and-nat default-policy base_1 exit rulebase base_2 action priority 1 ruledef ip_any charging-action ca_nothing route priority 1 ruledef rt_ftp analyzer ftp-control route priority 10 ruledef rt_ftp_data analyzer ftp-data route priority 40 ruledef rt_http analyzer http bandwidth default-policy bw2 fw-and-nat default-policy base_2 exit rulebase default exit fw-and-nat policy base_1 access-rule priority 1 access-ruledef fw_tcp permit nat-realm nat_pool1 access-rule priority 2 access-ruledef fw_udp permit nat-realm nat_pool2 firewall tcp-first-packet-non-syn reset nat policy nat-required default-nat-realm nat_pool3 firewall policy firewall-required nat binding-record edr-format nbr_format1 port-chunk-allocation port-chunk-release exit fw-and-nat policy base_2 access-rule priority 10 access-ruledef fw_tcp permit nat-realm nat_pool2 access-rule priority 20 access-ruledef fw_udp permit nat-realm nat_pool1 access-rule priority 25 access-ruledef fw_icmp permit bypass-nat nat policy nat-required default-nat-realm nat_pool3 firewall policy firewall-required exit nat tcp-2msl-timeout 120 exit context pdsn interface pdsn ip address 9.0.1.2 255.255.255.0 exit ssh key abc123def456ghi789abc123def456ghi789 len 461 server sshd subsystem sftp exit subscriber default ip access-group css-1 in ip access-group css-1 out ip context-name isp mobile-ip send accounting-correlation-info active-charging rulebase base_1 exit aaa group default exit gtpp group default exit pdsn-service pdsn spi remote-address 9.0.1.2 spi-number 256 encrypted secret abc123def456ghi789 timestamp-tolerance 0 spi remote-address 9.0.1.2 spi-number 256 encrypted secret abc123def456ghi789 timestamp-tolerance 0 spi remote-address 9.0.1.2 spi-number 9999 encrypted secret abc123def456ghi789 timestamp-tolerance 0 authentication pap 1 chap 2 allow-noauth bind address 0.1.2.3 exit edr-module active-charging-service file name NBR_nat current-prefix Record rotation time 45 headers edr-format-name exit exit context isp ip access-list css redirect css service service_name ip any any exit ip pool nat_pool1 range 20.20.20.0 20.20.20.99 napt-users-per-ip-address 10 max-chunks-per-user 5 port-chunk-size 128 send-nat-binding-update ip pool nat_pool2 range 30.30.30.0 30.30.30.99 nat-one-to-one on-demand nat-binding-timer 60 send-nat-binding-update ip pool nat_pool3 40.40.40.0 255.255.255.0 napt-users-per-ip-address 5 max-chunks-per-user 5 port-chunk-size 64 send-nat-binding-update ip pool pool1 11.22.33.44 255.255.0.0 public 0 interface isp ip address 22.33.44.55 255.255.255.0 exit subscriber default exit aaa group default exit gtpp group default exit ip route 0.0.0.0 0.0.0.0 33.44.55.66 isp exit context radius interface radius ip address 44.55.66.77 255.255.255.0 exit subscriber default exit subscriber name test7-sub ip access-group css in ip access-group css out ip context-name isp active-charging rulebase base_1 exit subscriber name test9-sub ip access-group css in ip access-group css out ip context-name isp1 active-charging rulebase base_2 exit domain test7.com default subscriber test7-sub domain test9.com default subscriber test9-sub radius change-authorize-nas-ip 44.55.66.77 encrypted key abc123def456ghi789 port 4000 aaa group default radius attribute nas-ip-address address 44.55.66.77 radius dictionary custom9 radius server 55.66.77.88 encrypted key abc123def456ghi port 1645 radius accounting server 55.66.77.88 encrypted key abc12 port 1646 exit gtpp group default exit diameter endpoint abc.star.com origin host abc.star.com address 44.55.66.77 peer minid realm star.com address 55.66.77.88 exit exit bulkstats collection bulkstats mode sample-interval 1 transfer-interval 15 file 1 remotefile format /localdisk/ABC.bulkstat receiver 66.77.88.99 primary mechanism ftp login root encrypted password 34dab256a700e2a8 exit exit port ethernet 17/1 no shutdown bind interface pdsn pdsn exit port ethernet 17/2 no shutdown bind interface isp isp exit port ethernet 17/3 no shutdown bind interface radius radius exit port ethernet 17/4 no shutdown exit port ethernet 17/5 no shutdown exit end