Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN-Interface-NAT-Pool

Use the VPN-Interface-NAT-Pool template for all vEdge routers.

To configure NAT pool interfaces in a VPN using vManage templates:

  1. Create a VPN-Interface-NAT-Pool template to configure Ethernet interface parameters, as described in this article.
  2. Create a VPN feature template to configure parameters for a service-side VPN. See the VPN help topic.
  3. Optionally, create a data policy to direct data traffic to a service-side NAT.

Navigate to the Template Screen

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
  6. Click the Service VPN drop-down.
  7. Under Additional VPN Templates, located to the right of the screen, click VPN Interface NAT Pool.
  8. From the VPN Interface NAT Pool drop-down, click Create Template. The VPN-Interface-NAT-Pool template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface NAT Pool parameters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Minimum Interface Configuration

The following parameters are required (unless otherwise indicated) to configure a NAT pool interface on a vEdge router:

Step Parameter Field Procedure
 1. Template Name Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
 2. Description (Template) Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.
 3. Shutdown Click No to enable the interface.
 4. Interface Name Enter a number for the NAT pool interface to use for a service-side NAT.
Range: 1 through 31
 5. Description (optional) Enter a description for the interface.
 6. IPv4 Address

Enter the IPv4 address of the interface. The address length determines the number of addresses that the router can NAT at the same time. A vEdge router can NAT a maximum of 250 IP addresses.

 7. Refresh Mode (optional)

Select how NAT mappings are refreshed:
bi-directional—Keep active the NAT mappings for inbound and outbound traffic.
outbound—Keep active the NAT mappings for outbound traffic. This is the default.

 8. UDP Timeout (optional) Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 1 minute
 9. TCP Timeout (optional) Enter the time when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 60 minutes (1 hour)
10. Block ICMP (optional) Select whether a vEdge router that is acting as a NAT device should receive inbound ICMP error messages. By default, the router blocks these error messages. Click Off to receive the ICMP error messages.
11. Direction (optional)

Select the direction in which the NAT interface performs address translation:
inside—Translate the source IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router. This is the default.

outside—Translate the source IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.

12. Overload (optional) Click No to disable dynamic NAT. By default, dynamic NAT is enabled.
13. Save Click Save to save the feature template.

CLI equivalent:

vpn vpn-id 
  interface natpoolnumber
    ip address prefix/length
    nat
      direction (inside | outside)
      [no] overload 
      refresh (bi-directional | outbound)
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
      tcp-timeout minutes
      udp-timeout minutes
    [no] shutdown

Configure Port-Forwarding Rules

To create port-forwarding rules to allow requests from an external network to reach devices on the internal network, select the Port Forward tab, and click the plus sign (+) to add a port-forwarding rule. You can create up to 128 rules.

Parameter Name Description
Port Start Range Enter the starting port number. This number must be less than or equal to the ending port number.
Port End Range Enter the ending port number. To apply port forwarding to a single port, specify the same port number for the starting and ending numbers. When applying port forwarding to a range of ports, the range includes the two port numbers that you specify
Protocol Select the protocol to apply the port-forwarding rule to. It can be TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.
VPN Private VPN in which the internal server resides.
Range: 0 through 65535
Private IP If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.

CLI equivalent:

vpn vpn-id 
  interface natpoolnumber
    nat
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp)
        private-ip-address ip address private-vpn vpn-id

Configure Static NAT

To configure static NATing of service-side sour IP addresses, select the Static NAT tab, click On, and click the plus sign (+) to add a static NAT mapping:

Parameter Name Description
Source IP Enter the private source IP address to be NATed.
Translate IP Enter the public IP address to map the private source address to.
Direction Select the direction in wchih to perform network address translation:

inside—Translate the IP address of packets that are coming from the service side of the vEdge router and that are destined to transport side of the router.

outside—Translate the IP address of packets that are coming to the vEdge router from the transport side of the vEdge router and that are destined to a service-side device.

CLI equivalent:

vpn vpn-id
  interface natpoolnumber
    ip address prefix/length
    no shutdown
    nat
      direction (inside | outside)
      no overload
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)

Release Information

Introduced in vManage NMS Release 16.3.

  • Was this article helpful?