Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Service-Side NAT

  1. Last updated
  2. Save as PDF

You can configure both dynamic NAT and 1:1 static NAT on the service side of a vEdge router. To do so, you create a NAT pool interface within a service VPN on the router, and then you configure a centralized data policy on the vSmart controller. This policy directs data traffic with the desired prefixes to the service-side NAT. Finally, you configure either dynamic NAT or static NAT on the desired NAT pool interfaces.

Create a NAT Pool Interface

On the vEdge router, you create a NAT pool interface. This interface NATs data traffic that is directed to it and then forwards the traffic towards its destination.

To create a NAT pool interface:

  1. In the desired VPN, create the NAT pool interface:
    vEdge(config-vpn)# interface natpoolnumber
    The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.
  2. Configure the NAT pool interface's IP address:
    vEdge(config-natpool)# ip address prefix/length
    The length of the IP address determines the number of addresses that the router can NAT at the same time. Note, however, that a vEdge router can only NAT a maximum of 250 IP addresses.
  3. Enable the interface:
    ​vEdge(config-natpool)# no shutdown

On a NAT pool interface, you can configure only these two commands (ip address and shutdown/no shutdown) and the nat command, discussed below. You cannot configure any of the other interface commands.

Here is an example of configuring the NAT pool interface:

vEdge# show running-config vpn 1
vpn 1
 interface ge0/4
  ip address 10.20.24.15/24
  no shutdown
 !
 interface ge0/5
  ip address 56.0.1.15/24
  no shutdown
 !
 interface natpool2
  ip address 192.179.10.1/32
  nat
  !
  no shutdown
 !
!

Use the show interface command to display information about the NAT pool interface:

vEdge# show interface vpn 1

                                 IF      IF                                                              TCP                                   
                                 ADMIN   OPER    ENCAP  PORT                              SPEED          MSS                 RX       TX       
VPN  INTERFACE  IP ADDRESS       STATUS  STATUS  TYPE   TYPE     MTU   HWADDR             MBPS   DUPLEX  ADJUST  UPTIME      PACKETS  PACKETS  
-----------------------------------------------------------------------------------------------------------------------------------------------
1    ge0/4      10.20.24.15/24   Up      Up      null   service  1500  00:0c:29:7d:1e:26  10     full    1420    0:01:24:06  566      565      
1    ge0/5      56.0.1.15/24     Up      Up      null   service  1500  00:0c:29:7d:1e:30  10     full    1420    0:01:24:06  26       4        
1    natpool2   192.179.10.1/32  Up      Up      null   service  1500  00:00:00:00:00:00  10     full    1420    0:00:40:57  0        0

Create a Data Policy To Direct Data Traffic to a Service-Side NAT

To direct data traffic from the service side of the vEdge router to the NAT, you create a centralized data policy on the vSmart controller. In the match condition of the policy, you identify the data traffic that you want to direct to the NAT. One way to do this is to match on the IP prefixes of the data traffic. In the action condition of the policy, you direct the matching traffic to one of the number NAT pools. Finally, you apply the policy to the service side at the desired overlay network sites.

To create a data policy to direct data traffic to a service-side NAT:

  1. Configure the lists required for the data policy. You must configure a list of VPN and sites. If you are matching on data prefixes, configure a data prefix list.
    vSmart(config-policy-lists)# vpn-list list-name
    vSmart(config-policy-vpn-list)# vpn vpn-id

    vSmart(config-policy-lists)# site-list list-name
    vSmart(config-policy-site-list)# site-id site-id

    vSmart(config-policy-lists)# data-prefix-list list-name
    vSmart(config-policy-data-prefix-list)# ip-prefix prefix/length
  2. Configure a data policy:
    vSmart(config-policy)# data-policy policy-name
    vSmart(config-data-policy)# vpn-list list-name
    vSmart(config-vpn-list)# sequence number
  3. Configure the desired match conditions:
    vSmart(config-sequence)# match condition
  4. In the action, associate matching data traffic with the desired NAT pool:
    vSmart(config-sequence)# action accept
    vSmart(config-sequence)# nat pool number
  5. Configure the desired default action for the data policy:
    vSmart(config-vpn-list)# default-action (accept | reject)
  6. Apply the policy to the desired sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name from-service

Here is an example of configuring the centralized data policy:

vSmart# show running-config policy
policy
 data-policy service-side-nat-policy
  vpn-list vpn-1
   sequence 10
    match
     source-data-prefix-list prefixes-to-nat
    !
    action accept
     nat pool 2
    !
   !
   default-action accept
  !
 !
 lists
  vpn-list vpn-1
   vpn 1
  !
  data-prefix-list prefixes-to-nat
   ip-prefix 56.0.1.0/24
  !
  site-list site-500
   site-id 500
  !
 !
!
vSmart# show running-config apply-policy 
apply-policy
 site-list site-500
  data-policy service-side-nat-policy from-service
 !
!

After you activate the policy, you can see that it has been applied to the vEdge router:

vEdge# show policy from-vsmart
from-vsmart data-policy service-side-nat-policy
 direction from-service
 vpn-list vpn-1
  sequence 10
   match
    source-data-prefix-list prefixes-to-nat
   action accept
    nat pool 2
  default-action accept
from-vsmart lists vpn-list vpn-1
 vpn 1
from-vsmart lists data-prefix-list prefixes-to-nat
 ip-prefix 56.0.1.0/24

Configure Dynamic NAT

By default, when you configure a vEdge router to act as a NAT, the router performs dynamic network address translation. In this capacity, the router can perform dynamic NAT for up to 250 IP addresses across NAT pools.

To configure dynamic NAT:

  1. In the desired VPN, create the NAT pool interface:
    vEdge(config-vpn)# interface natpoolnumber
    The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.
  2. Configure the IP address prefix for the NAT pool interface:
    vEdge(config-natpool)# ip address prefix/length
    The prefix ength determines the maximum number of addresses that the router can NAT at the same time. For example, for a /30 prefix length, the router can perform translation on four addresses at a time.
  3. Enable the interface:
    ​vEdge(config-natpool)# no shutdown
  4. Enable dynamic NAT:
    vEdge(config-natpool)# nat

As mentioned above, the length of the IP address determines the number of IP addresses that the router can NAT at the same time, up to a maximum of 250 across all NAT pools. When all available IP addresses have been used, the router reuses the last IP address multiple times, changing the port number. The port number is chosen at random from the nonreserved port numbers, that is, those port numbers in the range 1024 through 65535. For example, if the IP address is 10.1.17.3/30, the vEdge router can uniquely NAT four IP addresses. Let's say that the router maps the fourth IP address to 10.1.20.5, or more specifically to 10.1.20.5:12346 if we include the port number. It would then map the fifth IP address to the same IP address, but with a different port, such as 10.1.20.5:12347. To have the router drop packets when no more IP addresses are available for the translation process, include the following command:

vEdge(config)# vpn vpn-id interface natpoolnumber
vEdge(config-natpool)# no overload

Configure Static NAT

You can configure a vEdge router acting as a NAT to perform static network address translation (also called 1:1 static NAT) of source IP addresses. You can translate service-side source addresses before sending packets out to the overlay network, and you can translate external addresses before forwarding packets to the service-side network.

For packets originating on the service side of a vEdge router, you can statically map the packets' source IP address to another IP address. You do this by creating a NAT pool interface within a service-side VPN. For this interface, you configure a pool of IP addresses to use for network address translation, and then you configure the static address mappings. When the address pool is depleted, you can choose to drop packets that have unmapped source IP addresses. (Dropping these packets is not the default behavior.)

For packets exiting a transport tunnel from a vEdge router, you can statically map the packet's source IP address to another IP address, generally to an address that is routable within the service-side network. You configure this in the same way as for NATing packets originating on the service side.

You must create separate NAT pool interfaces to translate the source IP addresses for service-side packets and for tunnel packets.

Across all NAT pools, a vEdge router can NAT a maximum of 254 source IP addresses. This is the number of addresses in a /24 prefix, less the .0 and .255 addresses. You cannot configure translation for .0 and .255 addresses.

This section explains how to configure static NAT for translating service-side source IP addresses and for translating external (transport-side) IP addresses. The two procedures are very similar, but we describe them separately for clarity.

Static NATing of Service-Side Addresses

To configure the static NATing of service-side source IP addresses:

  1. In the desired VPN, create the NAT pool interface:
    vEdge(config-vpn)# interface natpoolnumber
    The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.
  2. Enable the NAT pool interface:
    ​vEdge(config-natpool)# no shutdown
  3. Configure the IP address prefix for the NAT pool interface:
    vEdge(config-natpool)# ip address prefix/length
    The prefix length determines the maximum number of source IP addresses that can be NATed in the NAT pool. For example, for a /30 prefix length, a maximum of four source IP addresses can be NATed.
  4. Configure the NAT pool interface to perform network address translation:
    vEdge(config-natpool)# nat
  5. By default, all IP addresses are translated to an address in the pool of NAT addresses configured in the ip address command. The addresses are mapped one to one until the address pool is depleted. Then, the last address is used multiple times, and the port number is changed to a random value between 1024 and 65535. Note that for Releases 16.3.2 and later, when the address pool is depleted, the first address in the pool is used multiple times. This reuse of the last address is called overloading. Overloading effectively implements dynamic NAT.
    To configure static NAT, include the no overload command to enforce the mapping of a single source IP address to a single translated IP address:
    vEdge(config-nat)# no overload
    With this command, when the maximum number of available IP addresses available to be translated is reached, packets with other IP addresses are dropped.
  6. Set the direction in which the NAT pool interface performs static mapping to inside to statically translate service-side IP source addresses:
    vEdge(config-nat)# direction inside
    The default direction is inside.
    You can configure only a single direction for each NAT pool interface. That is, a single NAT pool interface can perform static address translation either for service-side source addresses (inside) or for external source addresses (outside), but not for both.
  7. Define the static address translations for service-side source IP addresses:
    vEdge(config-nat)# static source-ip ip-address1 translate-ip ip-address2 inside
    ip-address1 is the source IP address of a device or branch router on the service side of the vEdge router.
    ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header when transmitting the packet out the transport network. Because the NAT pool direction is inside, this IP address must be in the interface's IP address range. This is the IP address prefix configured in the ip address command.
    The inside option indicates that it is a service-side, or inside, address that is being statically translated.
    The maximum number of service-side source IP addresses that you can statically NAT is equal to the number of addresses available in the interface's prefix range. For example, for a /30 prefix length, you can configure a maximum of four static NAT mappings.
    Once the NAT static address mapping is installed in the router's NAT table, the router can perform source IP address translation in both directions—when a service-side packet is being transmitted into the transport network, and when an external packet (addressed to ip-address2) arrives at the router.
  8. Optionally, define the static address translations for transport-side source IP addresses:
    vEdge(config-nat)# static source-ip ip-address1 translate-ip ip-address2 outside
    ip-address1 is the source IP address of an external device or router, that is, of a device at a remote site.
    ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header before forwarding the traffic to the service-side network.
    The outside option indicates that an external IP address is being statically translated.
    Because the direction of the NAT pool is inside, the pool of IP addresses set aside for NATing is used only to NAT service-side source IP addresses. This means that here, you can configure any number of external static address translations.
    As a corollary of NATing an external IP address, when a service-side device responds to that external IP address, it simply takes the source IP address from the received packet and places it into the destination IP field in the IP header.

Static NATing of External Addresses

To configure the static NATing of external source IP addresses:

  1. In the desired VPN, create the NAT pool interface:
    vEdge(config-vpn)# interface natpoolnumber
    The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.
  2. Enable the NAT pool interface:
    ​vEdge(config-natpool)# no shutdown
  3. Configure the NAT pool interface to perform network address translation:
  4. Configure the IP address prefix for the NAT pool interface:
    vEdge(config-natpool)# ip address prefix/length
    The prefix length determines the maximum number of IP addresses that the router can NAT at the same time in that NAT pool. For example, for a /30 prefix length, the router can perform translation on four addresses at a time.
  5. Configure the NAT pool interface to perform network address translation:
    vEdge(config-natpool)# nat
  6. By default, all IP addresses are translated to an address in the pool of NAT addresses configured in the ip address command. The addresses are mapped one to one until the address pool is depleted. Then, the last address is used multiple times, and the port number is changed to a random value between 1024 and 65535. This reuse of the last address is called overloading. Overloading effectively implements dynamic NAT.
    To configure static NATing of external addresses, you must include the no overload command to enforce the mapping of a single source IP address to a single translated IP address, because the software does not support overloading on the outside NAT pool interface:
    vEdge(config-nat)# no overload
    With this command, when the maximum number of available IP addresses available to be translated is reached, packets with other IP addresses are dropped.
  7. Set the direction in which the NAT pool interface performs static mapping to outside to statically translate external IP source addresses:
    vEdge(config-nat)# direction outside
    The default direction is inside.
    You can configure only a single direction for each NAT pool interface. That is, a single NAT pool interface can perform static address translation either for service-side source addresses (inside) or for external source addresses (outside), but not for both.
  8. Define the static address translations for external source-IP addresses:
    vEdge(config-nat)# static source-ip ip-address1 translate-ip ip-address2 outside
    ip-address1 is the source IP address of a remote device or router on the transport side of the vEdge router.
    ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header when forwarding the packet into the service-side network. Because the NAT pool direction is outside, this IP address must be in the interface's IP address range. This is the IP address prefix configured in the ip address command.
    The outside option indicates that the address that is being statically translated is an external, or outside, address.
    The maximum number of external source IP addresses that you can statically NAT is equal to the number of addresses available in the interface's prefix range. For example, for a /30 prefix length, you can configure a maximum of four static NAT mappings.
    As a corollary of NATing an external IP address, when a service-side device responds to that external IP address, it simply takes the source IP address from the received packet and places it into the destination IP field in the IP header.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. nat 16.3