Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN-Interface-Natpool

You can use the VPN-Interface-Natpool template for all vEdge routers.

To configure NAT pool interfaces in a VPN using vManage templates:

  1. Create a VPN-Interface-Natpool feature template to configure Ethernet interface parameters, as described in this article.
  2. Create a VPN feature template to configure parameters for a service-side VPN. See the Configuration ► Templates ► VPN help topic.
  3. Optionally, create a data policy to direct data traffic to a service-side NAT.
  4. Create a device template that incorporates the VPN-Interface-Natpool and VPN feature templates. See the Configuration ► Templates help topic.​

Navigate to the Template Screen

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
  5. Select the VPN-Interface-Natpool template.

The right pane displays the VPN-Interface-Natpool template form.

  • The top of the form contains fields for naming the template.
  • The bottom contains fields for defining parameters applicable to that template.
  • A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
  • A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.

Minimum Interface Configuration

The following parameters are required (unless otherwise indicated) to configure a NAT pool interface on a vEdge router:

Step Parameter Field Procedure
 1. Template Name Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
 2. Description (Template) Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.
 3. Shutdown Click No to enable the interface.
 4. Interface name Enter a number for the NAT pool interface.
Range:
 5. Description (optional) Enter a description for the interface.
 6. IPv4 address

Enter the IPv4 address of the interface. The address length determines the number of addresses that the router can NAT at the same time. A vEdge router can NAT a maximum of 250 IP addresses.

 7. Refresh mode (optional)

Select how NAT mappings are refreshed:
bi-directional—Keep active the NAT mappings for inbound and outbound traffic.
outbound—Keep active the NAT mappings for outbound traffic. This is the default.

 8. UDP timeout (optional) Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 1 minute
 9. TCP timeout (optional) Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 60 minutes (1 hour)
10. Direction (optional)

Select the direction in which the NAT interface performs address translation:
inside—Translate the source IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router. This is the default.

outside—Translate the source IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.

11. Overload (optional) Click No to disable dynamic NAT. By default, dynamic NAT is enabled.
12. Save Click Save to save the feature template.

CLI equivalent:

vpn vpn-id 
  interface natpoolnumber
    ip address prefix/length
    nat
      direction (inside | outside)
      [no] overload 
      refresh (bi-directional | outbound)
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
      tcp-timeout minutes
      udp-timeout minutes
    [no] shutdown

Configure Port-Forwarding Rules

To create port-forwarding rules to allow requests from an external network to reach devices on the internal network, select the Port Forward tab, and click the plus sign (+) to add a port-forwarding rule. You can create up to 128 rules.

Parameter Name Description
Port Start Range Enter the starting port number. This number must be less than or equal to the ending port number.
Port End Range Enter the ending port number. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify
Protocol Select the protocol to apply the port-forwarding rule to. It can be TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.
VPN Private VPN in which the internal server resides.
Range: 0 through 65535
Private IP If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.

CLI equivalent:

vpn vpn-id 
  interface natpoolnumber
    nat
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp)
        private-ip-address ip address private-vpn vpn-id

Configure Static NAT

To configure static NATing of service-side sour IP addresses, select the Static NAT tab, click On, and click the plus sign (+) to add a static NAT mapping:

Parameter Name Description
Source IP Enter the private source IP address to be NATed.
Translate IP Enter the public IP address to map the private source address to.
Direction Select the direction in wchih to perform network address translation:

inside—Translate the IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router.

outside—Translate the IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.

CLI equivalent:

vpn vpn-id
  interface natpoolnumber
    ip address prefix/length
    no shutdown
    nat
      direction (inside | outside)
      no overload
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)

Release Information

Introduced in vManage NMS Release 16.3.

  • Was this article helpful?