Cisco 7200 – ASR 1k – Prepaid ISG + L4REDIRECT – Mehdi Sadighian (مهدی صدیقیان)

Building configuration...

Building configuration...

Current configuration : 4657 bytes
!
! Last configuration change at 20:48:59 UTC Mon Jan 15 2007 by cisco
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Cisco-BRAS
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
!
aaa new-model
!
!
aaa group server radius hydra
 server 192.168.0.100 auth-port 1812 acct-port 1813
!
aaa authentication ppp hydra group hydra
aaa authorization prepaid hydra group hydra 
aaa authorization network hydra group hydra 
aaa authorization subscriber-service hydra local group hydra 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network hydra start-stop group hydra
!
aaa nas port extended
!
!
!
aaa server radius dynamic-author
 client 192.168.0.100
 server-key cisco
 auth-type any
 ignore session-key
!
aaa session-id unique
!
!
!
!
!
!
ip domain name msadighian.com
ip cef
no ipv6 cef
!
subscriber feature prepaid HYDRA
 threshold time 0 seconds
 threshold volume 0 bytes
 interim-interval 1 minutes
 method-list author hydra
 method-list accounting hydra
 password cisco
!
subscriber authorization enable
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
!
!
!
!
!
!
!
username **** password 0 ****
username **** password 0 ****
redirect server-group BILLING
 server ip 87.234.11.2 port 80
!
!
!
!
!
!
ip ssh version 2
class-map type traffic match-any OPENGARDEN
 match access-group input name OPENGARDEN
 match access-group output name OPENGARDEN
!
class-map type traffic match-any L4-REDIRECT
 match access-group input name L4-REDIRECT
!
class-map type traffic match-any L4
!
class-map type traffic match-any INTERNAL
 match access-group input name INTERNAL
 match access-group output name INTERNAL
!
class-map type traffic match-any INTERNET
 match access-group input name INTERNET
 match access-group output name INTERNET
!
policy-map type service INTERNET__1024
 10 class type traffic INTERNET
  prepaid config HYDRA
  police input 1024000 1024000 1024000
  police output 1024000 1024000 1024000
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service INTERNAL__2048
 9 class type traffic INTERNAL
  prepaid config HYDRA
  police input 2048000 2048000 2048000
  police output 2048000 2048000 2048000
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service L4-REDIRECT__Unlimited
 99 class type traffic L4-REDIRECT
  redirect to group BILLING
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service OPENGARDEN__Unlimited
 100 class type traffic OPENGARDEN
 !
 class type traffic default in-out
  drop
 !
!
 !
!
policy-map type control ISG
 class type control always event session-start
  1 authenticate aaa list hydra 
 !
!
! 
!
!
!
!
!
!
!
bba-group pppoe global
 virtual-template 1
 sessions auto cleanup
!
!
interface Loopback0
 no ip address
!
interface GigabitEthernet0/1
description internet-side
 ip address 192.168.0.20 255.255.255.0
 media-type rj45
 speed auto
 duplex auto
 negotiation auto
!
interface FastEthernet0/2
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface GigabitEthernet0/2
description user-side
 no ip address
 media-type rj45
 speed auto
 duplex auto
 negotiation auto
 pppoe enable group global
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 media-type rj45
 speed auto
 duplex auto
 negotiation auto
!
interface Virtual-Template1
 mtu 1460
 ip unnumbered GigabitEthernet0/1
 ip tcp adjust-mss 1320
 no logging event link-status
 peer default ip address pool DefaultPool
 ppp encrypt mppe auto
 ppp authentication chap pap hydra
 ppp authorization hydra
 ppp accounting hydra
 ppp ipcp dns 8.8.8.8
 service-policy type control ISG
!
ip local pool DefaultPool 10.0.0.1 10.0.0.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended INTERNAL
 permit ip host 8.8.8.8 any
 permit ip any host 8.8.8.8
ip access-list extended INTERNET
 permit ip any any
ip access-list extended L4-REDIRECT
 deny   tcp any host 87.234.11.2
 deny   tcp host 87.234.11.2 any
 permit tcp any any eq www
ip access-list extended OPENGARDEN
 permit tcp any any eq www
 permit tcp any eq www any
 permit udp any any eq domain
 permit udp any eq domain any
!
ip radius source-interface GigabitEthernet0/1 
!
!
radius-server host 192.168.0.100 auth-port 1812 acct-port 1813
radius-server key cisco
!         
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 transport input all
line vty 5 15
 transport input all
!
!
end

Note:
1-Any traffic class other than INTERNET, should have higher priority than INTERNET class.
example:
9 class type traffic INTERNAL
10 class type traffic INTERNET

INTERNAL has higher priority than INTERNET.

2-policy-map type service INTERNET__1024: this name: “INTERNET__1024” should be the same as what radius sends to Router. example:
radius:

Cisco-Account-Info += “AINTERNET__1024”
OR
ssg-account-info += “AINTERNET__1024”

Router:

policy-map type service INTERNET__1024
10 class type traffic INTERNET
prepaid config HYDRA
police input 1024000 1024000 1024000
police output 1024000 1024000 1024000
!
class type traffic default in-out
drop

L4REDIRECT EXAMPLE:

RASIUS:

Sending Access-Accept of id 19 to 192.168.0.20 port 1645
Service-Type = Framed-User
Framed-Protocol = PPP
Idle-Timeout = 14400
Cisco-AVPair = "subscriber:accounting-list=hydra"
Cisco-Account-Info += "AL4-REDIRECT__Unlimited"
Cisco-Account-Info += "AOPENGARDEN__Unlimited"

Router:

show redirect translations 
Unlimited number of L4 Redirect allowed per session


Prot Destination IP/Port                           Server IP/Port
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 134.0.216.147 80                              87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80
 TCP 13.82.28.61 80                                87.234.11.2 80

Total Number of Translations: 23

Highest number of L4 Redirect: 23 by session with source IP 10.0.0.2

By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: Cisco ISG, ISG prepaid, Cisco Bras ISG Prepaid, 7206,asr, 7200, asr1002, asr 1000