Step 1 Configure the required core network service on the system as described in the System Administration Guide.
Step 3 Proceed to the Configuring the System section.
Step 1
Step 3
Step 1
Step 2 Optional: Configure port maps as described in the Configuring Port Maps section.
Step 3 Optional: Configure host pools as described in the Configuring Host Pools section.
Step 4 Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15 Optional: Configure the default Firewall-and-NAT policy as described in the Configuring the Default Firewall-and-NAT Policy section.
Step 16
Step 17
Step 18
Step 20
Step 21
Step 22Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
active-charging service <ecs_service_name> [ -noconfirm ]active-charging service <ecs_service_name>port-map <port_map_name> [ -noconfirm ]active-charging service <ecs_service_name>host-pool <host_pool_name> [ -noconfirm ]active-charging service <ecs_service_name>imsi-pool <imsi_pool_name> [ -noconfirm ]active-charging service <ecs_service_name>access-ruledef <access_ruledef_name> [ -noconfirm ]bearer 3gpp apn [ case-sensitive ] <operator> <value>bearer username [ case-sensitive ] <operator> <user_name>ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
• Configuring access ruledefs involves the creation of several ruledefs with different sets of rules and parameters. For more information, see the Firewall Ruledef Configuration Mode Commands chapter of the Command Line Interface Reference.Configuring NAT IP pools/NAT IP Pool GroupsConfiguring One-to-One NAT IP Pools /NAT IP Pool GroupsTo create and configure a one-to-one NAT IP pool/NAT IP pool group, use the following configuration:context <context_name> [ -noconfirm ]ip pool <nat_pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
• Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
• Configuring Many-to-One NAT IP Pools /NAT IP Pool Groupscontext <context_name> [ -noconfirm ]ip pool <nat_pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } napt-users-per-ip-address <users> [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ max-chunks-per-user <chunks> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ port-chunk-size <size> ] [ port-chunk-threshold <threshold> ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
• Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
• active-charging service <ecs_service_name>fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]nat policy nat-required default-nat-realm <nat_pool_name / nat_pool_group_name>access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ nat-realm <nat_pool_name/nat_pool_group_name> | [ bypass-nat ] ] }access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit [ bypass-nat | nat-realm <nat_pool_name/nat_pool_group_name> ] }
• The nat policy nat-required command enables NAT for all subscribers using the policy.
• Rule matching is done for the first packet for a flow. Only when no rules match, the no-ruledef-matches configuration is considered. The default settings for uplink direction is “permit”, and for downlink direction “deny”.access-rule no-ruledef-matches uplink action permit nat-realm <nat_pool_name/nat_pool_group_name>active-charging service <ecs_service_name>active-charging service <ecs_service_name>active-charging service <ecs_service_name>nat tcp-2msl-timeout <timeout>active-charging service <ecs_service_name>fw-and-nat policy <fw_nat_policy_name>active-charging service <ecs_service_name>fw-and-nat policy <fw_nat_policy_name>nat private-ip-flow-timeout <timeout>active-charging service <ecs_service_name>
• The no-flow-creation keyword specifies not to create data session/flow-related information for downlink-initiated packets (from the Internet to the subscriber) while the downlink flow-recovery timer is running, but send to subscriber.Enabling NAT for APN/Subscriberscontext <context_name>apn <apn_name>fw-and-nat policy <fw_nat_policy_name>
• <fw_nat_policy_name> must be a valid Firewall-and-NAT policy in which NAT policy is enabled as described in the Configuring Firewall-and-NAT Policy section.
• context <context_name>fw-and-nat policy <fw_nat_policy_name>
• <fw_nat_policy_name> must be a valid Firewall-and-NAT policy in which NAT policy is enabled as described in the Configuring Firewall-and-NAT Policy section.
• active-charging service <ecs_service_name>rulebase <rulebase_name> [ -noconfirm ]fw-and-nat default-policy <fw_nat_policy_name>active-charging service <ecs_service_name>ruledef <ruledef_name>tcp either-port <operator> <value>active-charging service <ecs_service_name>rulebase <rulebase_name>route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | pptp | rtsp | sip advanced | tftp }
• For RTSP ALG processing, in the rulebase, the rtp dynamic-flow-detection command must be configured.
• For SIP ALG processing, the advanced option must be configured to ensure that packets matching the routing rule will be routed to the SIP ALG for processing and not to the ECS SIP analyzer.active-charging service <ecs_service_name>idle-timeout alg-media <idle_timeout>
• The idle-timeout alg-media idle_timeout CLI command configures the Media Inactivity Timeout setting. The timeout gets applied on RTP and RTCP media flows that are created for SIP calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP ALG.active-charging service <ecs_service_name>edr-format <edr_format_name>attribute sn-subscriber-nat-flow-ip priority <priority>active-charging service <ecs_service_name>udr-format <udr_format_name>attribute sn-subscriber-nat-flow-ip priority <priority>active-charging service <ecs_service_name>edr-format <nbr_format_name>attribute sn-correlation-id priority <priority>attribute sn-fa-correlation-id priority <priority>attribute radius-fa-nas-ip-address priority <priority>attribute radius-fa-nas-identifier priority <priority>attribute radius-user-name priority <priority>attribute radius-calling-station-id priority <priority>attribute sn-nat-ip priority <priority>attribute sn-nat-port-block-start priority <priority>attribute sn-nat-port-block-end priority <priority>attribute sn-nat-binding-timer priority <priority>attribute sn-nat-realm-name priority <priority>attribute sn-nat-gmt-offset priority <priority>fw-and-nat policy <fw_nat_policy_name>nat binding-record edr-format <nbr_format_name> port-chunk-allocation port-chunk-release
• The NBR format name configured in the edr-format <nbr_format_name> and the nat binding-record edr-format <nbr_format_name> commands must be the same.sample-interval <sample_interval>transfer-interval <transfer_interval>file <file_number>remotefile format <format>receiver <ip_address> primary mechanism { tftp | { ftp | sftp } login <login> encrypted password <password> }nat-realm schema cumulativenatschema format "NAT-REALM Schema: cumulativenatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\n Total binding updates sent to AAA: %nat-bind-updates%\nTotal bytes transferred by realm: %nat-rlm-bytes-tx%\nTotal flows used by realm: %nat-rlm-flows%\nTotal flows denied IP: %nat-rlm-ip-denied%\nTotal flows denied ports: %nat-rlm-port-denied%\n-----------------------\n"nat-realm schema snapshotnatschema format "NAT-REALM Schema: snapshotnatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\nTotal NAT public IP address: %nat-rlm-ttl-ips%\nCurrent NAT public IP address in use: %nat-rlm-ips-in-use%\nCurrent subscribers using realm: %nat-rlm-current-users%\nTotal port chunks: %nat-rlm-ttl-port-chunks%\nCurrent port chunks in use: %nat-rlm-chunks-in-use%\n-----------------------\n"context <context_name>
• The threshold monitoring available-ip-pool-group command is required only if you are configuring IP pool thresholds. It is not required if you are only configuring NAT port chunks usage threshold.threshold poll ip-pool-used interval <interval>context <context_name>
• Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context.
• The thresholds configured for an individual NAT IP pool using the alert-threshold keyword will take priority, i.e it will override the above context-wide configuration.This is a licensed feature requiring the [600-00-7871] NAT Bypass license. For more information please contact your local sales representative.context <context_name>apn <apn_name>secondary ip pool <pool_name>busyout ip pool name <private_pool_name>
•
• The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.context <context_name>secondary ip pool <pool_name>busyout ip pool name <private_pool_name>
•
• The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]To save changes to the configuration, see the Verifying and Saving Your Configuration chapter.
show active-charging nat statistics nat-realm <nat_pool_name> show active-charging nat statistics nat-realm <pool_group_name> show active-charging fw-and-nat policy statistics name <fw_nat_policy_name> show active-charging rulebase statistics name <rulebase_name> show active-charging flows nat required nat-ip <nat_ip_address> show subscribers nat required nat-ip <nat_ip_address> show subscribers nat required nat-realm <nat_pool_name>
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |