Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Service-Side NAT

To configure NAT on the service-side of a vEdge router, you create a NAT pool interface within a service VPN on the router, and then you configure a centralized data policy on the vSmart controller. This policy directs data traffic with the desired prefixes to the service-side NAT. After the source address in the data packets is swapped to the NAT's address, the traffic is sent towards its destination.

Create a NAT Pool Interface

On the vEdge router, you create a NAT pool interface. This interface NATs data traffic that is directed to it and then forwards the traffic towards its destination.

To create a NAT pool interface:

  1. In the desired VPN, create the NAT pool interface:
    vEdge(config-vpn)# interface natpoolnumber
    The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.
  2. Configure the NAT pool interface's IP address. The IP address length must be /32.
    vEdge(config-natpool)# ip address prefix/length
  3. Enable the interface:
    ​vEdge(config-natpool)# no shutdown

On a NAT pool interface, you can configure only these two commands (ip address and shutdown/no shutdown). You cannot configure any of the other interface command.

Here is an example of configuring the NAT pool interface:

vm5# show running-config vpn 1
vpn 1
 interface ge0/4
  ip address 10.20.24.15/24
  no shutdown
 !
 interface ge0/5
  ip address 56.0.1.15/24
  no shutdown
 !
 interface natpool2
  ip address 192.179.10.1/32
  nat
  !
  no shutdown
 !
!

Use the show interface command to display information about the NAT pool interface:

vm5# show interface vpn 1

                                 IF      IF                                                              TCP                                   
                                 ADMIN   OPER    ENCAP  PORT                              SPEED          MSS                 RX       TX       
VPN  INTERFACE  IP ADDRESS       STATUS  STATUS  TYPE   TYPE     MTU   HWADDR             MBPS   DUPLEX  ADJUST  UPTIME      PACKETS  PACKETS  
-----------------------------------------------------------------------------------------------------------------------------------------------
1    ge0/4      10.20.24.15/24   Up      Up      null   service  1500  00:0c:29:7d:1e:26  10     full    1420    0:01:24:06  566      565      
1    ge0/5      56.0.1.15/24     Up      Up      null   service  1500  00:0c:29:7d:1e:30  10     full    1420    0:01:24:06  26       4        
1    natpool2   192.179.10.1/32  Up      Up      null   service  1500  00:00:00:00:00:00  10     full    1420    0:00:40:57  0        0

Create a Data Policy To Direct Data Traffic to a Service-Side NAT

To direct data traffic from the service side of the vEdge router to the NAT, you create a centralized data policy on the vSmart controller. In the match condition of the policy, you identify the data traffic that you want to direct to the NAT. One way to do this is to match on the IP prefixes of the data traffic. In the action condition of the policy, you direct the matching traffic to one of the number NAT pools. Finally, you apply the policy to the service side at the desired overlay network sites.

To create a data policy to direct data traffic to a service-side NAT:

  1. Configure the lists required for the data policy. You must configure a list of VPN and sites. If you are matching on data prefixes, configure a data prefix list.
    vSmart(config-policy-lists)# vpn-list list-name
    vSmart(config-policy-vpn-list)# vpn vpn-id

    vSmart(config-policy-lists)# site-list list-name
    vSmart(config-policy-site-list)# site-id site-id

    vSmart(config-policy-lists)# data-prefix-list list-name
    vSmart(config-policy-data-prefix-list)# ip-prefix prefix/length
  2. Configure a data policy:
    vSmart(config-policy)# data-policy policy-name
    vSmart(config-data-policy)# vpn-list list-name
    vSmart(config-vpn-list)# sequence number
  3. Configure the desired match conditions:
    vSmart(config-sequence)# match condition
  4. In the action, associate matching data traffic with the desired NAT pool:
    vSmart(config-sequence)# action accept
    vSmart(config-sequence)# nat pool number
  5. Configure the desired default action for the data policy:
    vSmart(config-vpn-list)# default-action (accept | reject)
  6. Apply the policy to the desired sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name from-service

Here is an example of configuring the centralized data policy:

vm9# show running-config policy
policy
 data-policy service-side-nat-policy
  vpn-list vpn-1
   sequence 10
    match
     source-data-prefix-list prefixes-to-nat
    !
    action accept
     nat pool 2
    !
   !
   default-action accept
  !
 !
 lists
  vpn-list vpn-1
   vpn 1
  !
  data-prefix-list prefixes-to-nat
   ip-prefix 56.0.1.0/24
  !
  site-list site-500
   site-id 500
  !
 !
!
vm9# show running-config apply-policy 
apply-policy
 site-list site-500
  data-policy service-side-nat-policy from-service
 !
!

After you activate the policy, you can see that it has been applied to the vEdge router:

vm5# show policy from-vsmart
from-vsmart data-policy service-side-nat-policy
 direction from-service
 vpn-list vpn-1
  sequence 10
   match
    source-data-prefix-list prefixes-to-nat
   action accept
    nat pool 2
  default-action accept
from-vsmart lists vpn-list vpn-1
 vpn 1
from-vsmart lists data-prefix-list prefixes-to-nat
 ip-prefix 56.0.1.0/24
  • Was this article helpful?