Configuring Service-Side NAT
To configure NAT on the service-side of a vEdge router, you create a NAT pool interface within a service VPN on the router, and then you configure a centralized data policy on the vSmart controller. This policy directs data traffic with the desired prefixes to the service-side NAT. After the source address in the data packets is swapped to the NAT's address, the traffic is sent towards its destination.
Create a NAT Pool Interface
On the vEdge router, you create a NAT pool interface. This interface NATs data traffic that is directed to it and then forwards the traffic towards its destination.
To create a NAT pool interface:
- In the desired VPN, create the NAT pool interface:
vEdge(config-vpn)# interface natpoolnumber
The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool. - Configure the NAT pool interface's IP address. The IP address length must be /32.
vEdge(config-natpool)# ip address prefix/length - Enable the interface:
vEdge(config-natpool)# no shutdown
On a NAT pool interface, you can configure only these two commands (ip address and shutdown/no shutdown). You cannot configure any of the other interface command.
Here is an example of configuring the NAT pool interface:
vm5# show running-config vpn 1 vpn 1 interface ge0/4 ip address 10.20.24.15/24 no shutdown ! interface ge0/5 ip address 56.0.1.15/24 no shutdown ! interface natpool2 ip address 192.179.10.1/32 nat ! no shutdown ! !
Use the show interface command to display information about the NAT pool interface:
vm5# show interface vpn 1
IF IF TCP
ADMIN OPER ENCAP PORT SPEED MSS RX TX
VPN INTERFACE IP ADDRESS STATUS STATUS TYPE TYPE MTU HWADDR MBPS DUPLEX ADJUST UPTIME PACKETS PACKETS
-----------------------------------------------------------------------------------------------------------------------------------------------
1 ge0/4 10.20.24.15/24 Up Up null service 1500 00:0c:29:7d:1e:26 10 full 1420 0:01:24:06 566 565
1 ge0/5 56.0.1.15/24 Up Up null service 1500 00:0c:29:7d:1e:30 10 full 1420 0:01:24:06 26 4
1 natpool2 192.179.10.1/32 Up Up null service 1500 00:00:00:00:00:00 10 full 1420 0:00:40:57 0 0
Create a Data Policy To Direct Data Traffic to a Service-Side NAT
To direct data traffic from the service side of the vEdge router to the NAT, you create a centralized data policy on the vSmart controller. In the match condition of the policy, you identify the data traffic that you want to direct to the NAT. One way to do this is to match on the IP prefixes of the data traffic. In the action condition of the policy, you direct the matching traffic to one of the number NAT pools. Finally, you apply the policy to the service side at the desired overlay network sites.
To create a data policy to direct data traffic to a service-side NAT:
- Configure the lists required for the data policy. You must configure a list of VPN and sites. If you are matching on data prefixes, configure a data prefix list.
vSmart(config-policy-lists)# vpn-list list-name
vSmart(config-policy-vpn-list)# vpn vpn-id
vSmart(config-policy-lists)# site-list list-name
vSmart(config-policy-site-list)# site-id site-id
vSmart(config-policy-lists)# data-prefix-list list-name
vSmart(config-policy-data-prefix-list)# ip-prefix prefix/length - Configure a data policy:
vSmart(config-policy)# data-policy policy-name
vSmart(config-data-policy)# vpn-list list-name
vSmart(config-vpn-list)# sequence number - Configure the desired match conditions:
vSmart(config-sequence)# match condition - In the action, associate matching data traffic with the desired NAT pool:
vSmart(config-sequence)# action accept
vSmart(config-sequence)# nat pool number - Configure the desired default action for the data policy:
vSmart(config-vpn-list)# default-action (accept | reject) - Apply the policy to the desired sites in the overlay network:
vSmart(config)# apply-policy site-list list-name data-policy policy-name from-service
Here is an example of configuring the centralized data policy:
vm9# show running-config policy policy data-policy service-side-nat-policy vpn-list vpn-1 sequence 10 match source-data-prefix-list prefixes-to-nat ! action accept nat pool 2 ! ! default-action accept ! ! lists vpn-list vpn-1 vpn 1 ! data-prefix-list prefixes-to-nat ip-prefix 56.0.1.0/24 ! site-list site-500 site-id 500 ! ! ! vm9# show running-config apply-policy apply-policy site-list site-500 data-policy service-side-nat-policy from-service ! !
After you activate the policy, you can see that it has been applied to the vEdge router:
vm5# show policy from-vsmart from-vsmart data-policy service-side-nat-policy direction from-service vpn-list vpn-1 sequence 10 match source-data-prefix-list prefixes-to-nat action accept nat pool 2 default-action accept from-vsmart lists vpn-list vpn-1 vpn 1 from-vsmart lists data-prefix-list prefixes-to-nat ip-prefix 56.0.1.0/24
Additional Information
Configuring Centralized Data Policy
Using a vEdge Router as a NAT Device