This chapter
describes how to configure the Network Address Translation (NAT)
in-line service feature.
Configuring NAT
Enabling the ECS
Subsystem and Creating the ECS Service
To enable the
ECS subsystem and create the enhanced charging service, use the
following configuration:
configure
require active-charging
active-charging service <ecs_service_name> [ -noconfirm ]
end
Configuring Port
Maps
This is an optional
configuration. To create and configure an application-port map for
TCP and UDP protocols, use the following configuration:
configure
active-charging service <ecs_service_name>
port-map <port_map_name> [ -noconfirm ]
port { <port_number> | range <start_port> to <end_port> }
end
Notes:
- A maximum of 256 host
pools, IMSI pools, and port maps each, and a combined maximum of
4096 rules (host pools + IMSI pools + port maps + charging
ruledefs + access ruledefs + routing ruledefs)
can be created in a system.
- Port maps, host pools,
IMSI pools, and charging, access, and routing ruledefs must each
have unique names.
- A maximum of 10 entries
can be configured in each port map.
Configuring Host
Pools
This is an optional
configuration. To create and configure a host pool, use the following
configuration:
configure
active-charging service <ecs_service_name>
host-pool <host_pool_name> [ -noconfirm ]
ip { <ip_address> | <ip_address/mask> | range <start_ip_address> to <end_ip_address> }
end
Notes:
- A maximum of 256 host
pools, IMSI pools, and port maps each, and a combined maximum of
4096 rules (host pools + IMSI pools + port maps + charging
ruledefs + access ruledefs + routing ruledefs)
can be created in a system.
- Port maps, host pools,
IMSI pools, and charging, access, and routing ruledefs must each
have unique names.
- A maximum of 10 entries
can be configured in each host pool.
Configuring IMSI
Pools
This is an optional
configuration. To create and configure an IMSI pool, use the following configuration:
configure
active-charging service <ecs_service_name>
imsi-pool <imsi_pool_name> [ -noconfirm ]
imsi { <imsi_number> | range <start_imsi> to <end_imsi> }
end
Notes:
- A maximum of 256 host
pools, IMSI pools, and port maps each, and a combined maximum of
4096 rules (host pools + IMSI pools + port maps + charging
ruledefs + access ruledefs + routing ruledefs)
can be created in a system.
- Port maps, host pools,
IMSI pools, and charging, access, and routing ruledefs must each
have unique names.
- A maximum of 10 entries
can be configured in each port map.
Configuring Access
Ruledefs
To create and
configure an access rule definition, use the following configuration:
configure
active-charging service <ecs_service_name>
access-ruledef <access_ruledef_name> [ -noconfirm ]
bearer 3gpp apn [ case-sensitive ] <operator> <value>
bearer 3gpp imsi { <operator> <msid> | { !range | range } imsi-pool <imsi_pool> }
bearer username [ case-sensitive ] <operator> <user_name>
icmp { any-match <operator> <condition> | code <operator> <code> | type <operator> <type> }
ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } } }
tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
create-log-record
end
Notes:
- If the source IP address
is not configured, then it is treated as any source IP.
- If the destination
IP address is not configured, then it is treated as any destination IP.
- If the source port
is not configured, then it is treated as any source port.
- If the destination
port is not configured, then it is treated as any destination port.
- If no protocol is specified
then it is treated as any protocol.
- If both uplink and
downlink fields are not configured, then the rule will be treated
as either direction, i.e. packets from any direction will match
that rule.
- Access ruledefs are
different from enhanced charging service ruledefs. A combined maximum
of 4096 rules (host pools, IMSI pools, port maps, and access, charging,
and routing ruledefs) can be created in a system. A combined maximum
of 2048 access and charging ruledefs can be created in a system.
- Configuring access
ruledefs involves the creation of several ruledefs with different
sets of rules and parameters. For more information, see the Firewall Ruledef Configuration
Mode Commands chapter of the Command Line Interface Reference.
Configuring NAT
IP Pools/NAT IP Pool Groups
This section
describes how to create and configure NAT IP pools
/NAT IP pool groups.
The following topics
are covered in this section:
- Configuring One-to-One
NAT Realm
- Configuring Many-to-One
NAT Realm
Configuring One-to-One
NAT IP Pools/NAT IP Pool Groups
To create and
configure a one-to-one NAT IP pool
/NAT IP pool
group, use the following configuration:
configure
context <context_name> [ -noconfirm ]
ip pool <nat_pool_name> { <ip_address>
<subnet_mask> | <ip_address/mask> | range <start_ip_address>
<end_ip_address> } nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool <pool_name> { <ip_address>
<subnet_mask> | <ip_address/mask> | range <start_ip_address>
<end_ip_address> } public <priority>
end
Notes:
- Within a context, all
IP pool and NAT IP pool and
NAT IP pool group names must be unique.
- IP pool and NAT IP
pool and NAT IP pool group names
are case sensitive.
- The IP addresses configured
in the NAT IP pools within a context must not overlap. At any time,
within a context, a NAT IP address must be configured in any one
NAT IP pool.
- The IP addresses in
a NAT IP pool may be contiguous, and must be assignable as a subnet
or a range that constitutes less than an entire subnet.
- For many-to-one NAT
IP pools, the default NAT Binding Timer value is 60 seconds. For
one-to-one NAT IP pools, by default the feature is disabled—the
IP addresses/ port-chunks once allocated will never be
freed.
- Thresholds configured
using the alert-threshold keyword
are specific to the pool that they are configured in. Thresholds
configured using the threshold
ip-pool-* commands in the Context Configuration Mode
apply to all IP pools in the context, and override the threshold
configurations set within individual pools.
- Not-on-demand allocation
mode is the default NAT IP Address Allocation mode.
-
To add a NAT IP pool
to a NAT IP pool group, use the group-name <nat_pool_group_name> option.NAT IP pool and NAT
IP pool group names must be unique.When configuring a
NAT IP pool group, note that only those NAT IP pools that have similar characteristics
can be grouped together. The similarity is determined by the “nat-one-to-one” and “on-demand” parameters.
Dissimilar NAT IP pools cannot be grouped together.It is recommended that
for each NAT IP pool in a NAT IP pool group the other parameters (“nat-binding-timer”, “send-nat-binding-update”, “nexthop-forwarding-address”, “send-icmp-dest-unreachable”,
and “srp-activate”) also be configured with the
same values, so that the NAT behavior is predictable across all
NAT IP pools in that NAT IP pool group.The NAT IP pool from
which a NAT IP address is assigned will determine the actual values to
use for all parameters.
-
It is recommended that
in a Firewall-and-NAT policy all the realms configured either be
NAT IP pools or NAT IP pool groups. If both NAT IP pool(s) and NAT
IP pool group(s) are configured, ensure that none of the NAT IP
pool(s) are also included in the NAT IP pool group.
Configuring Many-to-One
NAT IP Pools/NAT IP Pool Groups
To create and
configure a Many-to-One NAT IP pool
/NAT IP pool
group, use the following configuration:
configure
context <context_name> [ -noconfirm ]
ip pool <nat_pool_name> { <ip_address>
<subnet_mask> | <ip_address/mask> | range
<start_ip_address> <end_ip_address> } napt-users-per-ip-address <users> [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ max-chunks-per-user <chunks> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ port-chunk-size <size> ] [ port-chunk-threshold <threshold> ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool <pool_name> { <ip_address>
<subnet_mask> | <ip_address/mask> | range <start_ip_address>
<end_ip_address> } public <priority>
end
Notes:
- Within a context, all
IP pool and NAT IP pool and
NAT IP pool group names must be unique.
- IP pool and NAT IP
pool and NAT IP pool group names
are case sensitive.
- The IP addresses configured
in the NAT IP pools within a context must not overlap. At any time,
within a context, a NAT IP address must be configured in any one
NAT IP pool.
- The IP addresses in
a NAT IP pool may be contiguous, and must be assignable as a subnet
or a range that constitutes less than an entire subnet.
- For many-to-one NAT
IP pools, the default NAT Binding Timer value is 60 seconds. For
one-to-one NAT IP pools, by default the feature is disabled—the
IP addresses/port-chunks once allocated will never be freed.
- Thresholds configured
using the alert-threshold keyword
are specific to the pool that they are configured in. Thresholds
configured using the threshold
ip-pool-* commands in the Context Configuration Mode
apply to all IP pools in the context, and override the threshold
configurations set within individual pools.
- Not-on-demand allocation
mode is the default NAT IP Address Allocation mode.
-
To add a NAT IP pool
to a NAT IP pool group, use the group-name <nat_pool_group_name> option.NAT IP pool and NAT
IP pool group names must be unique.When configuring a
NAT IP pool group, note that only those NAT IP pools that have similar characteristics
can be grouped together. The similarity is determined by the “napt-users-per-ip-address”, “napt-users-per-ip-address
<users>”, “on-demand”, and “port-chunk-size” parameters. Dissimilar
NAT IP pools cannot be grouped together.It is recommended that
for each NAT IP pool in a NAT IP pool group the other parameters (“nat-binding-timer”, “send-nat-binding-update”, “nexthop-forwarding-address”, “send-icmp-dest-unreachable”, “srp-activate”,
and “port-chunk-threshold”) also be configured
with the same values, so that the NAT behavior is predictable across
all NAT IP pools in that NAT IP pool group.The NAT IP pool from
which a NAT IP address is assigned will determine the actual values to
use for all parameters.
-
It is recommended that
in a Firewall-and-NAT policy all the realms configured either be
NAT IP pools or NAT IP pool groups. If both NAT IP pool(s) and NAT
IP pool group(s) are configured, ensure that none of the NAT IP
pool(s) are also included in the NAT IP pool group.
Configuring Firewall-and-NAT
Policies
To create and
configure a Firewall-and-NAT Policy, use the following configuration:
configure
active-charging service <ecs_service_name>
fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]
nat policy [ ipv4-and-ipv6 | ipv4-only | ipv6-only ] [ default-nat-realm nat_realm_name [ fw-and-nat-action action_name ] ]
access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ nat-realm <nat_pool_name/nat_pool_group_name> | [ bypass-nat ] ] }
access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit [ bypass-nat | nat-realm <nat_pool_name/nat_pool_group_name> ] }
end
Notes:
- In StarOS 8.x, NAT
for CDMA and early UMTS releases used rulebase-based configurations,
whereas in later UMTS releases NAT used policy-based configurations.
In StarOS 9.0 and later releases, NAT for UMTS and CDMA releases
both use policy-based configurations. For more information, please
contact your local service representative.
- In 12.1 and earlier
releases: The nat
policy nat-required command enables NAT44 for all subscribers
using the policy. This keyword is supported in release 12.2 for
backward compatibility.
- Duplicate ruledef names
or priorities are not allowed in the same rulebase
- A maximum of three
NAT IP pools/NAT IP pool
groups can be configured in a policy. A subscriber can be allocated
only one NAT IP address per NAT IP pool/NAT IP pool
group from a maximum of three pools/pool groups. Hence,
at anytime, there can only be a maximum of three NAT IP addresses
allocated to a subscriber.
-
It is recommended that
in a Firewall-and-NAT policy all the realms configured either be
NAT IP pools or NAT IP pool groups. If both NAT IP pool(s) and NAT
IP pool group(s) are configured, ensure that a NAT IP pool is not
a part of a NAT IP pool group.
- NAT is applied only
to packets in the uplink direction.
- Rule matching is done
for the first packet for a flow. Only when no rules match, the no-ruledef-matches configuration
is considered. The default settings for uplink direction is “permit”,
and for downlink direction “deny”.
- If there are no rules
matching a packet, then the NAT IP pool/NAT IP pool group to
be used for the flow is taken from the following configuration:access-rule no-ruledef-matches
uplink action permit nat-realm <nat_pool_name/nat_pool_group_name>
- If there is no NAT
IP pool/NAT IP pool
group name configured in the matching access ruledef, NAT will
be bypassed, i.e., NAT will not be applied to the flow.
Configuring Firewall-and-NAT
Action
To create and
configure a Firewall-and-NAT Action, use the following configuration:
configure
active-charging service <acs_service_name>
fw-and-nat action <fw_nat_action_name> [ -noconfirm ]
flow check-point [ data-usage data_usage [ and | or ] | time-duration duration [ and | or ] ]
end
Configuring Action
on NAT IP Address/Port Allocation Failure
To configure
sending ICMP error messages in the event of NAT IP address/port
allocation failure, use the following configuration:
configure
active-charging service <acs_service_name>
nat allocation-failure
send-icmp-dest-unreachable
end
Configuring Action
on Packets During NAT IP Allocation
To configure
action to take on packets when NAT IP/NPU allocation is
in progress, use the following configuration:
configure
active-charging service <ecs_service_name>
nat allocation-in-progress { buffer | drop }
end
Notes:
- In On-demand NAT IP
allocation (wherein a NAT IP address is allocated to the subscriber
when a packet is being sent), if no free NAT IP address is available,
a NAT-IP Alloc Request is sent to the VPNMgr to get a NAT IP. During
that time packets are dropped. This command enables to either buffer
or drop the packets received when IP Alloc Request is sent to VPNMgr.
Configuring NAT
TCP-2msl-timeout Setting
To configure
NAT TCP 2msl Timeout setting, use the following configuration:
configure
active-charging service <ecs_service_name>
nat tcp-2msl-timeout <timeout>
end
Configuring Action
on TCP Idle Timeout
To configure
action to take on TCP idle timeout expiry for NAT flows, use the
following configuration:
configure
active-charging service <ecs_service_name>
fw-and-nat policy <fw_nat_policy_name>
firewall tcp-idle-timeout-action { drop | reset }
end
Configuring Private
IP NPU Flow Timeout Setting
To configure
Private IP NPU Flow Timeout setting, use the following configuration:
configure
active-charging service <ecs_service_name>
fw-and-nat policy <fw_nat_policy_name>
nat private-ip-flow-timeout <timeout>
end
Notes:
- By default, for NAT-enabled
calls the downlink private IP NPU flow will not be installed at
call setup for a subscriber session. The flow will only be installed
for uplink traffic on demand. When there is no traffic on the private
flow, the private IP flow will be removed after the configurable
timeout period.
- Downlink traffic will
be dropped after flow is deleted after the configurable timeout period.
Configuring Flow
Recovery
To configure
Flow Recovery parameters for NAT flows, use the following configuration:
configure
active-charging service <ecs_service_name>
firewall flow-recovery { downlink | uplink } [ [ no-flow-creation ] [ timeout <timeout> ] + ]
end
Notes:
- The no-flow-creation keyword
specifies not to create data session/flow-related information
for downlink-initiated packets (from the Internet to the subscriber)
while the downlink flow-recovery timer is running, but send to subscriber.
Configuring Flow-mapping
Timeout
To configure
flow-mapping timeout, use the following configuration in either
of the two modes: Active Charging Service Configuration mode and
ACS Charging Action Configuration mode.
In ACS Configuration
mode:
configure
active-charging service <acs_service_name>
idle-timeout flow-mapping { tcp | udp } <timeout>
end
In ACS Charging Action
Configuration mode:
configure
active-charging service <acs_service_name>
charging-action <charging_action_name>
flow idle-timeout flow-mapping <flow_timeout>
end
Notes:
- The value configured
in charging action takes precedence to the value configured in the
ACS service mode. In global mode (ACS Configuration mode), the default
values are different for TCP and UDP.
- Even if the flow-mapping
timeout is configured inside a charging action, and if the flow that
matched the charging action was not a TCP or a UDP flow, then the
Mapping timer will not be triggered for the flow.
Enabling NAT for
APN/Subscribers
This section
describes how to enable NAT support for
APN/subscribers.
The following topics
are covered in this section:
-
Enabling NAT for APN
- Enabling NAT for Subscribers
Enabling NAT for
APN
To configure
the Firewall-and-NAT Policy within an APN, use the following configuration:
IMPORTANT:
This configuration
is only applicable to UMTS networks.
configure
context <context_name>
apn <apn_name>
fw-and-nat policy <fw_nat_policy_name>
end
Notes:
- <fw_nat_policy_name> must
be a valid Firewall-and-NAT policy in which NAT policy is enabled
as described in the Configuring Firewall-and-NAT
Policy section.
- To specify that the
default Firewall-and-NAT policy configured in the rulebase be used for
subscribers who use this APN, in the APN Configuration Mode, apply
the following command: default
fw-and-nat policy
Enabling NAT for
Subscribers
To configure
the Firewall-and-NAT Policy in a subscriber template, use the following
configuration:
configure
context <context_name>
subscriber default
fw-and-nat policy <fw_nat_policy_name>
end
Notes:
- <fw_nat_policy_name> must
be a valid Firewall-and-NAT policy in which NAT policy is enabled
as described in the Configuring Firewall-and-NAT
Policy section.
- To specify that the
default Firewall-and-NAT policy configured in the rulebase be used for
subscribers, in the Subscriber Configuration Mode, apply the following
command: default
fw-and-nat policy
Configuring the
Default Firewall-and-NAT Policy
This is an optional
configuration to specify a default Firewall-and-NAT policy to use
if in the APN/subscriber configurations the following command
is configured:
default fw-and-nat policy
To create a rulebase
and configure a default Firewall-and-NAT policy in it, use the following
configuration:
configure
active-charging service <ecs_service_name>
rulebase <rulebase_name> [ -noconfirm ]
fw-and-nat default-policy <fw_nat_policy_name>
end
Configuring NAT
Application Level Gateways/Dynamic Pinholes
This section
describes how to configure routing rules to open up dynamic pinholes
for Application Level Gateways (ALG) functionality.
The following topics
are covered in this section:
-
Creating Routing Ruledefs
- Configuring Routing
Ruledefs in Rulebase
- Enabling NAT ALG
Creating Routing
Ruledefs
To configure
ECS routing rules for FTP and RTSP protocols, use the following
configuration:
configure
active-charging service <ecs_service_name>
ruledef <ruledef_name>
tcp either-port <operator> <value>
rule-application routing
end
Notes:
- Create a separate routing
ruledef for each protocol.
Configuring Routing
Ruledefs in Rulebase
To configure
the routing ruledefs in the rulebase, use the following configuration:
configure
active-charging service <ecs_service_name>
rulebase <rulebase_name>
route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | h323 | pptp | rtsp | sip advanced | tftp }
rtp dynamic-flow-detection
end
Notes:
- Add each routing ruledef
as a separate route priority.
-
If PPTP ALG is enabled,
NAT is supported for GREv1 flows that are generated by PPTP.
- For RTSP ALG processing,
in the rulebase, the rtp
dynamic-flow-detection command must be configured.
-
For SIP ALG processing,
the advanced option
must be configured to ensure that packets matching the routing rule
will be routed to the SIP ALG for processing and not to the ECS
SIP analyzer.
Enabling NAT ALG
To enable NAT ALGs,
use the following configuration:
configure
active-charging service <ecs_service_name>
firewall nat-alg { all | ftp | h323 | pptp | rtsp | sip }
idle-timeout alg-media <idle_timeout>
end
Notes:
- If enabled, in the
rulebase, a routing rule for the protocol must be configured. For example:route priority 1 ruledef
ftp analyzer ftp-controlroute priority 2 ruledef
rtsp analyzer rtsp
- For RTSP NAT ALG processing,
in the rulebase, the following command must be configured:rtp dynamic-flow-detection
- The idle-timeout alg-media idle_timeout CLI
command configures the Media Inactivity Timeout setting. The timeout
gets applied on RTP and RTCP media flows that are created for SIP calls.
The timeout is applied only on those flows that actually match the
RTP and RTCP media pinholes that are created by the SIP ALG.
- Configuration changes
are only applied to new flows.
Configuring EDR
Format
To configure
EDR format for NAT-specific attributes, use the following configuration:
configure
active-charging service <ecs_service_name>
edr-format <edr_format_name>
attribute sn-nat-subscribers-per-ip-address
priority <priority>
attribute sn-subscriber-nat-flow-ip priority <priority>
attribute sn-subscriber-nat-flow-port priority <priority>
end
Configuring UDR
Format
To configure
UDR format for NAT-specific attributes, use the following configuration:
configure
active-charging service <ecs_service_name>
udr-format <udr_format_name>
attribute sn-subscriber-nat-flow-ip priority <priority>
end
Configuring NAT
Binding Record Format
To configure
NBR format, use the following configuration:
configure
active-charging service <ecs_service_name>
edr-format <nbr_format_name>
attribute sn-correlation-id
priority <priority>
rule-variable ip subscriber-ip-address priority <priority>
rule-variable bearer
3gpp charging-id priority <priority>
rule-variable bearer
3gpp sgsn-address priority <priority>
rule-variable bearer
ggsn-address priority <priority>
rule-variable bearer
3gpp imsi priority <priority>
attribute sn-fa-correlation-id
priority <priority>
attribute radius-fa-nas-ip-address priority <priority>
attribute radius-fa-nas-identifier priority <priority>
attribute radius-user-name
priority <priority>
attribute radius-calling-station-id priority <priority>
attribute sn-nat-ip
priority <priority>
attribute sn-nat-port-block-start priority <priority>
attribute sn-nat-port-block-end priority <priority>
attribute sn-nat-binding-timer
priority <priority>
attribute sn-nat-subscribers-per-ip-address
priority <priority>
attribute sn-nat-realm-name
priority <priority>
attribute sn-nat-gmt-offset
priority <priority>
attribute sn-nat-port-chunk-alloc-dealloc-flag
priority <priority>
attribute sn-nat-port-chunk-alloc-time-gmt
priority <priority>
attribute sn-nat-port-chunk-dealloc-time-gmt
priority <priority>
attribute sn-nat-last-activity-time-gmt
priority <priority>
exit
fw-and-nat policy <fw_nat_policy_name>
nat binding-record edr-format <nbr_format_name> port-chunk-allocation
port-chunk-release
end
Notes:
- The NBR format name
configured in the edr-format <nbr_format_name> and
the nat binding-record
edr-format <nbr_format_name> commands
must be the same.
Configuring Bulkstats
Collection
To configure
NAT realm bulk statistics collection, use the following configuration:
configure
bulkstats collection
bulkstats historical collection
bulkstats mode
sample-interval <sample_interval>
transfer-interval <transfer_interval>
file <file_number>
remotefile format <format>
receiver <ip_address> primary mechanism { tftp | { ftp | sftp } login <login> encrypted password <password> }
exit
nat-realm schema <schema_name> format <format_string>
end
The following is a
sample configuration for cumulative bulkstats collection:
nat-realm schema cumulativenatschema format "NAT-REALM Schema:
cumulativenatschema\nVPN Name: %vpnname%\nRealm
Name: %realmname%\n Total binding updates
sent to AAA: %nat-bind-updates%\nTotal
bytes transferred by realm: %nat-rlm-bytes-tx%\nTotal flows
used by realm: %nat-rlm-flows%\nTotal
flows denied IP: %nat-rlm-ip-denied%\nTotal
flows denied ports: %nat-rlm-port-denied%\n-----------------------\n
"
The following is a
sample configuration for snapshot bulkstats collection:
nat-realm schema snapshotnatschema format "NAT-REALM Schema:
snapshotnatschema\nVPN Name: %vpnname%\nRealm
Name: %realmname%\nTotal NAT public IP
address: %nat-rlm-ttl-ips%\nCurrent
NAT public IP address in use: %nat-rlm-ips-in-use%\nCurrent subscribers
using realm: %nat-rlm-current-users%\nTotal
port chunks: %nat-rlm-ttl-port-chunks%\nCurrent
port chunks in use: %nat-rlm-chunks-in-use%\n-----------------------\n "
Configuring NAT
Thresholds
This section
describes how to configure NAT thresholds.
The following topics
are covered in this section:
-
Enabling Thresholds
- Configuring Threshold
Poll Interval
- Configuring Thresholds
Limits
- Enabling SNMP Notifications
Enabling Thresholds
To enable thresholds,
use the following configuration:
configure
threshold monitoring firewall
context <context_name>
threshold monitoring
available-ip-pool-group
end
Notes:
- The threshold monitoring
available-ip-pool-group command is required only if you
are configuring IP pool thresholds. It is not required if you are
only configuring NAT port chunks usage threshold.
Configuring Threshold
Poll Interval
To configure
threshold polling interval, use the following configuration:
configure
threshold poll ip-pool-used
interval <interval>
threshold poll nat-port-chunks-usage interval <interval>
end
Configuring Thresholds
Limits
To configure
threshold limits, use the following configuration:
configure
context <context_name>
threshold ip-pool-free <high_threshold> clear <low_threshold>
threshold ip-pool-hold <high_threshold> clear <low_threshold>
threshold ip-pool-release <high_threshold> clear <low_threshold>
threshold ip-pool-used <high_threshold> clear <low_threshold>
exit
threshold nat-port-chunks-usage <high_threshold> clear <low_threshold>
end
Notes:
- Thresholds configured
using the threshold
ip-pool-* commands in the Context Configuration
Mode apply to all IP pools in the context.
- The thresholds configured
for an individual NAT IP pool using the alert-threshold keyword
will take priority, i.e it will override the above context-wide configuration.
Enabling SNMP Notifications
To enable SNMP
notifications, use the following configuration:
configure
snmp trap { enable | suppress } { ThreshNATPortChunksUsage | ThreshClearNATPortChunksUsage }
snmp trap { enable | suppress } { ThreshIPPoolUsed | ThreshIPPoolFree | ThreshIPPoolRelease | ThreshIPPoolHold | ThreshClearIPPoolUsed }
end
Backing Out of NAT
NAT backout
is a licensed feature. A separate feature license may be required.
Contact your Cisco account representative for detailed information
on specific licensing requirements. For information on installing
and verifying licenses, refer to the Managing License Keys section
of the Software Management
Operations chapter in the System Administration
Guide.
Configuring NAT
Backout for APN
To configure
a secondary IP pool that is not overwritten by the RADIUS supplied
list, use the following configuration. The secondary pool configured
will be appended to the RADIUS supplied IP pool list / APN
provided IP pool list whichever is applicable during call setup.
IMPORTANT:
This configuration
is only applicable to UMTS networks.
configure
context <context_name>
apn <apn_name>
secondary ip pool <pool_name>
exit
busyout ip pool name <private_pool_name>
end
Notes:
- The secondary ip pool <pool_name> command
is license dependent.
- The busyout ip pool name <private_pool_name> command
must be configured in the destination context. This command makes
addresses from the specified IP pool in the current context unavailable
once they are free.
Configuring NAT
Backout for Subscribers
To configure
a secondary IP pool that is not overwritten by the RADIUS supplied
list, use the following configuration. The secondary pool configured
will be appended to the RADIUS supplied IP pool list/subscriber
template provided IP pool list whichever is applicable during call
setup.
configure
context <context_name>
subscriber default
secondary ip pool <pool_name>
exit
busyout ip pool name <private_pool_name>
end
Notes:
- The secondary ip pool <pool_name> command
is license dependent.
- The busyout ip pool name <private_pool_name> command
must be configured in the destination context. This command makes
addresses from the specified IP pool in the current context unavailable
once they are free.
Changing Firewall-and-NAT
Policy in Mid-session
To change Firewall-and-NAT
policy in mid-session, use the following configuration:
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]
Notes:
- To be able to change
the Firewall-and-NAT policy in mid session, firewall-and-NAT must
have been enabled for the subscriber in the APN/Subscriber
template configuration, or in the rulebase (the default policy)
during call setup.
- The above command takes
effect only for current calls. For new calls, the RADIUS returned/APN/subscriber
template/rulebase configured policy is used.