{{indexmenu_n>6}}
======Working with NAT Flow. How to find a subscriber after NAT======
The following components are required for this functionality to work: [[en:dpi:dpi_components:qoestor|QoE Stor Module]] и [[en:dpi:dpi_components:dpiui|SSG DPI control interface]].\\
Description for configuring NAT in QoE: [[en:dpi:dpi_components:qoestor:configuration:nat_flow]]
=====Example of working with abuse letters=====
This tutorial is how to find the specific subscriber who is reported abuse.\\
The abuse email usually contains a global address from a NAT pool. We need to understand which of the subscribers went to the resource where the virus activity was detected at a known time behind this NAT-pool.\\
We need to perform **two steps** — find the necessary information in the abuse email and use it to identify the subscriber in the GUI of the Stingray.
====Step 1. Research the email====
- The address from your NAT pool (source IP).
- Address of the attacked resource (destination IP)
- Activity time on the attacked resource //(considering the time zones!)//
* **Example 1.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-1.png?nolink&600|}}
* ** Example 2.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-2.png?nolink&600|}}
More can be found useful in the email:
- Reason of abuse \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-type.png?nolink&600|}}
- History of abuse (if the activity was repeated) \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-logs.png?nolink&600|}}
This can help you understand the scope of the problem and identify similar problems on your network.
====Step 2. Looking for subscriber activity in the GUI====
The task is to determine from the logs which subscriber behind the NAT-pool (source IP) specified in the letter was accessing the destination IP at that time.
Before you start the search it is worth checking two facts:
- The NAT pool in question is set to CG-NAT in Stingray. \\ {{dpi:opt_cgnat:cgnat_faq:nat_pool.png?direct&600|}}
- The NAT log storage time captures the time of activity. View and configure \\ {{dpi:opt_cgnat:cgnat_faq:nat_log_lifetime.png?direct&600|}}
Then in the GUI you need to open the section NAT flow, select a period, enter the source and destination IP. \\
* {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_1.png?direct&600|}}
* {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_2.png?direct&600|}}
Perform the necessary actions with the found subscriber to prevent further abuse.