Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN Interface NAT Pool

Create NAT Pool Interfaces in a VPN

Use the VPN Interface NAT Pool template for all vEdge routers, to create Network Address Translation (NAT) pools of IP addresses in virtual private networks (VPNs).
To configure NAT pool interfaces in a VPN using vManage templates:

  1. Create a VPN Interface NAT Pool template to configure Ethernet interface parameters, as described in this article.
  2. Create a VPN feature template to configure parameters for a service-side VPN. See the VPN help topic.
  3. Optionally, create a data policy to direct data traffic to a service-side NAT. See Create a Device Template.

Create and Name a VPN Interface NAT Pool Template

You can open a new VPN Interface NAT Pool template from the Service VPN section of a device template.

  1. From the vManage menu, select Configuration > Templates.
  2. Click Feature.
  3. Click Add Template.
  4. Select a vEdge device from the list.
  5. From the VPN section, click VPN Interface NATPool.

The VPN Interface NATPool template form displays. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface NAT Pool parameters.

VPN_int_natpool_create.png

  1. In the required Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  2. In the optional Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

Parameter Menus and Options

Parameter Menus and Options

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a template_default_icon.png), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

template_device_icon.png  Device Specific

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

template_global_icon.png  Global

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure a NAT Pool Interface

To configure a NAT pool interface, configure the following parameters. Parameters marked with an asterisk are required to configure the interface.

Basic Configuration

Enter the following basic configuration parameters:

Parameter Name

Values

Description

Shutdown*

Yes

No

Click No to enable the interface.

Interface Name (1…31)*

1-31

Enter a number for the NAT pool interface to use for service-side NAT. For example, natpool22.

Description

Enter a description for the interface.

IPv4 Address*

Enter the IPv4 address of the interface. The address length determines the number of NAT addresses that the router use at the same time. A vEdge router can support a maximum of 250 NAT IP addresses.

Refresh Mode

Select how NAT mappings are refreshed:

bi-directional

Keep active the NAT mappings for inbound and outbound traffic.

outbound

Keep active the NAT mappings for outbound traffic. This is the default.

UDP Timeout

1-65536 minutes

Enter the time when NAT translations over UDP sessions time out.
Default: 1 minute

TCP Timeout

1-65536 minutes

Enter the time when NAT translations over TCP sessions time out.
Default: 60 minutes (1 hour)

Block ICMP

On

Off

Select whether a vEdge router that is acting as a NAT device should receive inbound ICMP error messages. By default, the router blocks these error messages. Click Off to receive the ICMP error messages.

Direction

Select the direction in which the NAT interface performs address translation:

inside

Translate the source IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router. This is the default.

outside

Translate the source IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.

Overload

Yes

No

Click No to disable dynamic NAT. By default, dynamic NAT is enabled.

Tracker

  1. To create one or more tracker interfaces, select the Tracker tab and click New Tracker.
  2. Select one or more interfaces to track the status of service interfaces.
  3. To save the tracker interfaces, click Add. To save the feature template, click Save.

CLI Equivalent Commands

Use the following commands to configure NAT Pool interfaces.

vpn vpn-id
  interface natpoolnumber
    ip address prefix/length
    nat
      tracker tracker-name1 tracker-name2, tracker-name3
      direction (inside | outside)
      [no] overload
      refresh (bi-directional | outbound)
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
      tcp-timeout minutes
      udp-timeout minutes
    [no] shutdown

Configure Port-Forwarding Rules

To create port-forwarding rules to allow requests from an external network to reach devices on the internal network:

  1. Select the Port Forward tab.
  2. Click New Port Forwarding Rule, and configure the following parameters. You can create up to 128 rules.

Parameter Name

Values

Description

Port Start Range

Enter the starting port number. This number must be less than or equal to the ending port number.

Port End Range

Enter the ending port number. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify.

Protocol

TCP

UDP

Select the protocol to apply the port-forwarding rule to. To match the same ports for both TCP and UDP traffic, configure two rules.

VPN

0-65535

Private VPN in which the internal server resides.

Private IP

Enter an IP address to use within the firewall. A best practice is to specify the IP address of a service-side VPN.

  1. To save the rule, click Add.
  2. To save the feature template, click Save.

CLI Equivalent Commands 

vpn vpn-id
  interface natpoolnumber
    nat
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp)
        private-ip-address ip address private-vpn vpn-id

Configure Static NAT

To configure a static NAT of service-side source IP addresses:

  1. Select the Static NAT tab. Then click New Static NAT and configure the following parameters to add a static NAT mapping:

Parameter Name

Values

Description

Mark as Optional Row

Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.

Source IP

Enter the NAT private source IP address.

Translate IP

To map a public IP address to a private source address, enter the public IP address.

Static NAT Direction

Select the direction in which to perform network address translation.

inside

Translate the IP address of packets that are coming from the service side of the vEdge router and that are destined for the transport side of the router.

outside

Translate the IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined for a service-side device.

2. To save the NAT mapping, click Add.

3. To save the feature template, click Save.

CLI Equivalent Commands

vpn vpn-id
  interface natpoolnumber
    nat
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp)
        private-ip-address ip address private-vpn vpn-id

 Release Information

Introduced in vManage NMS Release 16.3.
In Release 17.2.2, add support for tracker interface status.
In Release 18.4, updated images; add support for multiple tracker interfaces.

  • Was this article helpful?