Sample NAT Configuration
The following is a sample NAT configuration.
configure
license key "\
VER=1|C1M=SanDiskSDCFJ-4096|C1S=116904I0207E3107|DOI=1258470708|DOE=12\
HG=100000|FHE=Y|SIG=MC4CFQCf9f7bAibGKJWq69JaJMd5XowxVwIVALDFfUHAEUTokw"
aaa default-domain subscriber radius
aaa last-resort context subscriber radius
gtpp single-source
system hostname ABC123DEF456
autoconfirm
clock timezone asia-calcutta
crash enable encrypted url abc123def456ghi789
card 1
mode active psc
#exit
card 2
mode active psc
#exit
card 4
mode active psc
#exit
require session recovery
require active-charging
context local
interface SPIO1
ip address 1.2.3.4 255.255.255.0
#exit
server ftpd
#exit
ssh key abc123def456ghi789abc123def456ghi789 len 777 type v2-dsa
server sshd
subsystem sftp
#exit
server telnetd
#exit
subscriber default
exit
administrator admin encrypted password abc123def456ghi789 ftp
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 2.3.4.5 SPIO1
#exit
port ethernet 24/1
no shutdown
bind interface SPIO1 local
#exit
ntp
enable
server 10.6.1.1
#exit
snmp engine-id local 123007e123275a8c123ff07ca49
active-charging service service_1
nat allocation-failure send-icmp-dest-unreachable
host-pool host1
ip range 3.4.5.6 to 4.5.6.7
#exit
host-pool host2
ip range 5.6.7.8 to 6.7.8.9
#exit
host-pool host3
ip range 7.8.9.0 to 8.9.0.1
#exit
ruledef ip_any
ip any-match = TRUE
#exit
ruledef rt_ftp
tcp either-port = 21
rule-application routing
#exit
ruledef rt_ftp_data
tcp either-port = 20
rule-application routing
#exit
ruledef rt_http
tcp either-port = 80
rule-application routing
#exit
ruledef rt_rtp
rtp any-match = TRUE
rule-application routing
#exit
ruledef rt_rtsp
tcp either-port = 554
rule-application routing
#exit
access-ruledef fw_icmp
icmp any-match = TRUE
#exit
access-ruledef fw_tcp
tcp any-match = TRUE
#exit
access-ruledef fw_udp
udp any-match = TRUE
#exit
edr-format nbr_format1
attribute sn-correlation-id priority 1
rule-variable ip subscriber-ip-address priority 2
attribute sn-fa-correlation-id priority 3
attribute radius-fa-nas-ip-address priority 4
attribute radius-fa-nas-identifier priority 5
attribute radius-user-name priority 6
attribute radius-calling-station-id priority 7
attribute sn-nat-ip priority 8
attribute sn-nat-port-block-start priority 9
attribute sn-nat-port-block-end priority 10
attribute sn-nat-binding-timer priority 11
attribute sn-nat-subscribers-per-ip-address priority 12
attribute sn-nat-realm-name priority 13
attribute sn-nat-gmt-offset priority 14
attribute sn-nat-port-chunk-alloc-dealloc-flag priority 15
attribute sn-nat-port-chunk-alloc-time-gmt priority 16
attribute sn-nat-port-chunk-dealloc-time-gmt priority 17
attribute sn-nat-last-activity-time-gmt priority 18
#exit
udr-format udr_format
attribute sn-start-time format MM/DD/YYYY-HH:MM:SS localtime priority 1
attribute sn-end-time format MM/DD/YYYY-HH:MM:SS localtime  priority 2
attribute sn-correlation-id priority 4
attribute sn-content-vol bytes uplink priority 6
attribute sn-content-vol bytes downlink priority 7
attribute sn-fa-correlation-id priority 8
attribute radius-fa-nas-ip-address priority 9
attribute radius-fa-nas-identifier priority 10
attribute radius-user-name priority 11
attribute sn-content-vol pkts uplink priority 12
attribute sn-content-vol pkts downlink priority 13
attribute sn-group-id priority 14
attribute sn-content-id priority 15
#exit
charging-action ca_nothing
content-id 20
#exit
bandwidth-policy bw1
#exit
bandwidth-policy bw2
#exit
rulebase base_1
tcp packets-out-of-order timeout 30000
billing-records udr udr-format udr_format
action priority 1 ruledef ip_any charging-action ca_nothing
route priority 1 ruledef rt_ftp analyzer ftp-control
route priority 10 ruledef rt_ftp_data analyzer ftp-data
route priority 20 ruledef rt_rtsp analyzer rtsp
route priority 30 ruledef rt_rtp analyzer rtp
route priority 40 ruledef rt_http analyzer http
rtp dynamic-flow-detection
bandwidth default-policy bw1
fw-and-nat default-policy base_1
#exit
rulebase base_2
action priority 1 ruledef ip_any charging-action ca_nothing
route priority 1 ruledef rt_ftp analyzer ftp-control
route priority 10 ruledef rt_ftp_data analyzer ftp-data
route priority 40 ruledef rt_http analyzer http
bandwidth default-policy bw2
fw-and-nat default-policy base_2
#exit
rulebase default
#exit
fw-and-nat policy base_1
access-rule priority 1 access-ruledef fw_tcp permit nat-realm nat_pool1
access-rule priority 2 access-ruledef fw_udp permit nat-realm nat_pool2
firewall tcp-first-packet-non-syn reset
nat policy nat-required default-nat-realm nat_pool3
nat binding-record edr-format nbr_format1 port-chunk-allocation port-chunk-release
#exit
fw-and-nat policy base_2
access-rule priority 10 access-ruledef fw_tcp permit nat-realm nat_pool2
access-rule priority 20 access-ruledef fw_udp permit nat-realm nat_pool1
access-rule priority 25 access-ruledef fw_icmp permit bypass-nat
nat policy nat-required default-nat-realm nat_pool3
#exit
nat tcp-2msl-timeout 120
#exit
context pdsn
interface pdsn
ip address 9.0.1.2 255.255.255.0
#exit
ssh key abc123def456ghi789abc123def456ghi789 len 461
server sshd
subsystem sftp
#exit
subscriber default
ip access-group css-1 in
ip access-group css-1 out
ip context-name isp
mobile-ip send accounting-correlation-info
active-charging rulebase base_1
exit
aaa group default
#exit
gtpp group default
#exit
pdsn-service pdsn
spi remote-address 9.0.1.2 spi-number 256 encrypted secret abc123def456ghi789 timestamp-tolerance 0
spi remote-address 9.0.1.2 spi-number 256 encrypted secret abc123def456ghi789 timestamp-tolerance 0
spi remote-address 9.0.1.2 spi-number 9999 encrypted secret abc123def456ghi789 timestamp-tolerance 0
authentication pap 1 chap 2 allow-noauth
bind address 0.1.2.3
#exit
edr-module active-charging-service
file name NBR_nat current-prefix Record rotation time 45 headers edr-format-name
#exit
#exit
context isp
ip access-list css
redirect css service service_1 ip any any
#exit
ip pool nat_pool1 range 20.20.20.0 20.20.20.99 napt-users-per-ip-address 10 max-chunks-per-user 5 port-chunk-size 128 send-nat-binding-update
ip pool nat_pool2 range 30.30.30.0 30.30.30.99 nat-one-to-one on-demand nat-binding-timer 60 send-nat-binding-update
ip pool nat_pool3 40.40.40.0 255.255.255.0 napt-users-per-ip-address 5 max-chunks-per-user 5 port-chunk-size 64 send-nat-binding-update
ip pool pool1 11.22.33.44 255.255.0.0 public 0
interface isp
ip address 22.33.44.55 255.255.255.0
#exit
subscriber default
exit
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 33.44.55.66 isp
#exit
context radius
interface radius
ip address 44.55.66.77 255.255.255.0
#exit
subscriber default
exit
subscriber name test7-sub
ip access-group css in
ip access-group css out
ip context-name isp
active-charging rulebase base_1
exit
subscriber name test9-sub
ip access-group css in
ip access-group css out
ip context-name isp1
active-charging rulebase base_2
exit
domain test7.com default subscriber test7-sub
domain test9.com default subscriber test9-sub
radius change-authorize-nas-ip 44.55.66.77 encrypted key abc123def456ghi789 port 4000
aaa group default
radius attribute nas-ip-address address 44.55.66.77
radius dictionary custom9
radius server 55.66.77.88 encrypted key abc123def456ghi port 1645
radius accounting server 55.66.77.88 encrypted key abc12 port 1646
#exit
gtpp group default
#exit
diameter endpoint abc.star.com
origin host abc.star.com address 44.55.66.77
peer minid realm star.com address 55.66.77.88
#exit
#exit
bulkstats collection
bulkstats mode
sample-interval 1
transfer-interval 15
file 1
remotefile format /localdisk/ABC.bulkstat
receiver 66.77.88.99 primary mechanism ftp login root encrypted password 34dab256a700e2a8
#exit
#exit
port ethernet 17/1
no shutdown
bind interface pdsn pdsn
#exit
port ethernet 17/2
no shutdown
bind interface isp isp
#exit
port ethernet 17/3
no shutdown
bind interface radius radius
#exit
port ethernet 17/4
no shutdown
#exit
port ethernet 17/5
no shutdown
#exit
end
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883