|
22
|
Optional: Configure a secondary IP pool, which is not overwritten by the RADIUS supplied list, as described in the Backing Out of NAT section.
|
active-charging service
<service_name> [ -noconfirm ]
active-charging service
<service_name>
port-map
<port_map_name> [ -noconfirm ]
port {
<port_number> | range
<start_port> to
<end_port> }
active-charging service
<service_name>
host-pool
<host_pool_name> [ -noconfirm ]
ip {
<ip_address> |
<ip_address/mask> | range
<start_ip_address> to
<end_ip_address> }
active-charging service
<service_name>
imsi-pool
<imsi_pool_name> [ -noconfirm ]
imsi {
<imsi_number> | range
<start_imsi> to
<end_imsi> }
active-charging service
<service_name>
access-ruledef
<access_ruledef_name> [ -noconfirm ]
bearer apn [ case-sensitive ]
<operator> <value>
bearer imsi {
<operator> <msid> | { !range | range } imsi-pool
<imsi_pool_name> }
bearer username [ case-sensitive ]
<operator> <user_name>
icmp { any-match
<operator> <condition> | code
<operator> <code> | type
<operator> <type> }
ip { { { any-match | downlink | uplink }
<operator> <condition> } | { { dst-address | src-address } { {
<operator> {
<ip_address> | <ip_address/mask> } } | { !range | range } host-pool
<host_pool_name> } | protocol { {
<operator> {
<protocol> |
<protocol_assignment> } } | {
<operator> <protocol_assignment> } }
tcp { any-match
<operator> <condition> | { { dst-port | either-port | src-port } { {
<operator> <port_number> } | { !range | range } {
<from_range> to
<end_range> | port-map
<port_map_name> } } }
udp { any-match
<operator> <condition> | { dst-port | either-port | src-port } {
<operator> <port_number> | { !range | range } {
<from_range> to
<end_range> | port-map
<port_map_name> } } }
context
<context_name> [ -noconfirm ]
ip pool
<nat_realm_name> {
<ip_address> <subnet_mask> | <ip_address/mask> | range <start_
ip_address> <end_ip_address> } nat-one-to-one [ alert-threshold [ { pool-free | pool-hold | pool-release | pool-used }
<low_thresh> [ clear
<high_thresh> ] + ] [ nat-binding-timer
<binding_timer> ] [ nexthop-forwarding-address
<ip_address> ] [ on-demand ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool
<pool_name> {
<ip_address> <subnet_mask> | <ip_address/mask> | range <start_
ip_address> <end_ip_address> } public
<priority>
|
l
|
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
|
context
<context_name> [ -noconfirm ]
ip pool
<nat_realm_name> {
<ip_address> <subnet_mask> | <ip_address/mask> | range <start_
ip_address> <end_ip_address> } napt-users-per-ip-address
<users> [ alert-threshold [ { pool-free | pool-hold | pool-release | pool-used }
<low_thresh> [ clear
<high_thresh> ] + ] [ max-chunks-per-user
<chunks> ] [ nat-binding-timer
<binding_timer> ] [ nexthop-forwarding-address
<ip_address> ] [ on-demand ] [ port-chunk-size
<size> ] [ port-chunk-threshold
<threshold> ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool
<pool_name> {
<ip_address> <subnet_mask> | <ip_address/mask> | range <start_
ip_address> <end_ip_address> } public
<priority>
|
l
|
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
|
active-charging service
<service_name>
fw-and-nat policy
<fw_nat_policy_name> [ -noconfirm ]
nat policy nat-required default-nat-realm
<nat_realm_name>
access-rule priority
<priority> { [ dynamic-only | static-and-dynamic ] access-ruledef
<access_ruledef_name> { deny [ charging-action
<charging_action_name> ] | permit [ nat-realm
<nat_realm_name> | [ bypass-nat ] ] }
access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action
<charging_action_name> ] | permit [ bypass-nat | nat-realm
<nat_realm_name> ] }
|
l
|
The nat policy nat-required command enables NAT for all subscribers using the policy.
|
active-charging service
<service_name>
nat allocation-failure send-icmp-dest-unreachable
active-charging service
<service_name>
nat allocation-in-progress { buffer | drop }
active-charging service
<service_name>
nat tcp-2msl-timeout
<timeout>
active-charging service
<service_name>
fw-and-nat policy
<fw_nat_policy_name>
firewall tcp-idle-timeout-action { drop | reset }
active-charging service
<service_name>
fw-and-nat policy
<fw_nat_policy_name>
nat private-ip-flow-timeout
<timeout>
active-charging service
<service_name>
firewall flow-recovery { downlink | uplink } [ timeout
<timeout> ]
fw-and-nat policy
<fw_nat_policy_name>
fw-and-nat policy
<fw_nat_policy_name>
active-charging service
<service_name>
rulebase
<rulebase_name> [ -noconfirm ]
fw-and-nat default-policy
<fw_nat_policy_name>
active-charging service
<service_name>
tcp either-port
<operator> <value>
active-charging service
<service_name>
route priority
<priority> ruledef
<ruledef_name> analyzer { ftp-control | rtsp }
rtp dynamic-flow-detection
active-charging service
<service_name>
firewall nat-alg { all | ftp | rtsp }
active-charging service
<service_name>
edr-format
<edr_format_name>
attribute sn-nat-subscribers-per-ip-address priority
<priority>
attribute sn-subscriber-nat-flow-ip priority
<priority>
attribute sn-subscriber-nat-flow-port priority
<priority>
active-charging service
<service_name>
udr-format
<udr_format_name>
attribute sn-subscriber-nat-flow-ip priority
<priority>
active-charging service
<service_name>
edr-format
<nbr_format_name>
attribute sn-correlation-id priority
<priority>
rule-variable ip subscriber-ip-address priority
<priority>
attribute sn-fa-correlation-id priority
<priority>
attribute radius-fa-nas-ip-address priority
<priority>
attribute radius-fa-nas-identifier priority
<priority>
attribute radius-user-name priority
<priority>
attribute radius-calling-station-id priority
<priority>
attribute sn-nat-ip priority
<priority>
attribute sn-nat-port-block-start priority
<priority>
attribute sn-nat-port-block-end priority
<priority>
attribute sn-nat-binding-timer priority
<priority>
attribute sn-nat-subscribers-per-ip-address priority
<priority>
attribute sn-nat-realm-name priority
<priority>
attribute sn-nat-gmt-offset priority
<priority>
attribute sn-nat-port-chunk-alloc-dealloc-flag priority
<priority>
attribute sn-nat-port-chunk-alloc-time-gmt priority
<priority>
attribute sn-nat-port-chunk-dealloc-time-gmt priority
<priority>
attribute sn-nat-last-activity-time-gmt priority
<priority>
fw-and-nat policy
<fw_nat_policy_name>
nat binding-record edr-format
<nbr_format_name> port-chunk-allocation port-chunk-release
bulkstats historical collection
sample-interval
<sample_interval>
transfer-interval
<transfer_interval>
remotefile format
<format>
receiver
<ip_address> primary mechanism { tftp | { ftp | sftp } login
<login> encrypted password
<password> }
nat-realm schema
<schema_name> format
<format_string>
nat-realm schema cumulativenatschema format
"NAT-REALM Schema: cumulativenatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\n Total binding updates sent to AAA: %nat-bind-updates%\nTotal bytes transferred by realm: %nat-rlm-bytes-tx%\nTotal flows used by realm: %nat-rlm-flows%\nTotal flows denied IP: %nat-rlm-ip-denied%\nTotal flows denied ports: %nat-rlm-port-denied%\n-----------------------\n"
nat-realm schema snapshotnatschema format
"NAT-REALM Schema: snapshotnatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\nTotal NAT public IP address: %nat-rlm-ttl-ips%\nCurrent NAT public IP address in use: %nat-rlm-ips-in-use%\nCurrent subscribers using realm: %nat-rlm-current-users%\nTotal port chunks: %nat-rlm-ttl-port-chunks%\nCurrent port chunks in use: %nat-rlm-chunks-in-use%\n-----------------------\n"
threshold monitoring firewall
threshold monitoring available-ip-pool-group
threshold poll ip-pool-used interval
<interval>
threshold poll nat-port-chunks-usage interval
<interval>
threshold ip-pool-free
<high_thresh> [ clear
<low_thresh> ]
threshold ip-pool-hold
<high_thresh> [ clear
<low_thresh> ]
threshold ip-pool-release
<high_thresh> [ clear
<low_thresh> ]
threshold ip-pool-used
<high_thresh> [ clear
<low_thresh> ]
threshold nat-port-chunks-usage
<high_thresh> [ clear
<low_thresh> ]
snmp trap { enable | suppress } { ThreshNATPortChunksUsage | ThreshClearNATPortChunksUsage }
snmp trap { enable | suppress } { ThreshIPPoolUsed | ThreshIPPoolFree | ThreshIPPoolRelease | ThreshIPPoolHold | ThreshClearIPPoolUsed }
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during call setup.
secondary ip pool
<pool_name>
busyout ip pool name
<private_pool_name>
|
l
|
The secondary ip pool <pool_name> command is license dependent.
|
|
l
|
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
|
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list/subscriber template provided IP pool list whichever is applicable during call setup.
secondary ip pool
<pool_name>
busyout ip pool name
<private_pool_name>
|
l
|
The secondary ip pool <pool_name> command is license dependent.
|
|
l
|
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
|
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase
<rulebase_name> } { all | callid
<call_id> | fw-and-nat-policy
<fw_nat_policy_name> | imsi
<imsi> | ip-address
<ipv4_address> | msid
<msid> | rulebase
<rulebase_name> | username
<user_name> } [ -noconfirm ]