Use the VPN-Interface-NAT-Pool template for all vEdge routers.
To configure NAT pool interfaces in a VPN using vManage templates:
- Create a VPN-Interface-NAT-Pool template to configure Ethernet interface parameters, as described in this article.
- Create a VPN feature template to configure parameters for a service-side VPN. See the VPN help topic.
- Optionally, create a data policy to direct data traffic to a service-side NAT.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- In the Device tab, click Create Template.
- From the Create Template drop-down, select From Feature Template.
- From the Device Model drop-down, select the type of device for which you are creating the template.
- Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
- Click the Service VPN drop-down.
- Under Additional VPN Templates, located to the right of the screen, click VPN Interface NAT Pool.
- From the VPN Interface NAT Pool drop-down, click Create Template. The VPN-Interface-NAT-Pool template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface NAT Pool parameters.
When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:
Device Specific (indicated by a host icon)
Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.
When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.
To change the default key, type a new string and move the cursor out of the Enter Key box.
Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.
Global (indicated by a globe icon)
Enter a value for the parameter, and apply that value to all devices.
Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.
Minimum Interface Configuration
The following parameters are required (unless otherwise indicated) to configure a NAT pool interface on a vEdge router:
|1.||Template Name||Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.|
|2.||Description (Template)||Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.|
|3.||Shutdown||Click No to enable the interface.|
|4.||Interface Name||Enter a number for the NAT pool interface to use for a service-side NAT.
Range: 1 through 31
|5.||Description (optional)||Enter a description for the interface.|
Enter the IPv4 address of the interface. The address length determines the number of addresses that the router can NAT at the same time. A vEdge router can NAT a maximum of 250 IP addresses.
|7.||Refresh Mode (optional)||
Select how NAT mappings are refreshed:
|8.||UDP Timeout (optional)||Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 1 minute
|9.||TCP Timeout (optional)||Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 60 minutes (1 hour)
|10.||Block ICMP (optional)||Select whether a vEdge router that is acting as a NAT device should receive inbound ICMP error messages. By default, the router blocks these error messages. Click Off to receive the ICMP error messages.|
Select the direction in which the NAT interface performs address translation:
• outside—Translate the source IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.
|12.||Overload (optional)||Click No to disable dynamic NAT. By default, dynamic NAT is enabled.|
|13.||Save||Click Save to save the feature template.|
vpn vpn-id interface natpoolnumber ip address prefix/length nat direction (inside | outside) [no] overload refresh (bi-directional | outbound) static source-ip ip-address1 translate-ip ip-address2 (inside | outside) tcp-timeout minutes udp-timeout minutes [no] shutdown
Configure Port-Forwarding Rules
To create port-forwarding rules to allow requests from an external network to reach devices on the internal network, select the Port Forward tab, and click the plus sign (+) to add a port-forwarding rule. You can create up to 128 rules.
|Port Start Range||Enter the starting port number. This number must be less than or equal to the ending port number.|
|Port End Range||Enter the ending port number. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify|
|Protocol||Select the protocol to apply the port-forwarding rule to. It can be TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.|
|VPN||Private VPN in which the internal server resides.
Range: 0 through 65535
|Private IP||If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.|
vpn vpn-id interface natpoolnumber nat port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) private-ip-address ip address private-vpn vpn-id
Configure Static NAT
To configure static NATing of service-side sour IP addresses, select the Static NAT tab, click On, and click the plus sign (+) to add a static NAT mapping:
|Source IP||Enter the private source IP address to be NATed.|
|Translate IP||Enter the public IP address to map the private source address to.|
|Direction||Select the direction in wchih to perform network address translation:
• inside—Translate the IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router.
• outside—Translate the IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.
vpn vpn-id interface natpoolnumber ip address prefix/length no shutdown nat direction (inside | outside) no overload static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
Introduced in vManage NMS Release 16.3.