NAT

Configuration > Networking > NAT

NAT enables multiple sites with overlapping IP addresses to connect to a single SD-WAN fabric.

NOTE: NAT configuration is not available in Appliance Manager.

You can use branch NAT features for a variety of overlapping IP use cases.

  • The most common scenario is when all branches share the same IP configuration. You can use NAT to translate overlapping local IPs within a branch into globally scoped and routable IPs within the fabric.

  • You can also use routing segmentation in combination with NAT within your branch locations.

NOTE: Typically, the NAT feature should not be used for Local Breakout situations. Local Breakout relies on the Stateful+SNAT feature to automatically SNAT into the IP address of the WAN-side interface.

You can configure SNAT (Source Network Address Translation), DNAT (Destination Network Address Translation), destination TCP, and UDP port translation rules that apply to all LAN to WAN traffic in ingress and egress directions. Configured rules apply to all traffic, including tunneled traffic, internet-bound traffic, and other passthrough traffic. The following address translation options are supported:

  • 1:1 source and destination IP address translation

  • 1:1 subnet to subnet source and destination IP address translation

  • Many to one IP source address translation

  • NAT pools for translated source IP address

NOTE: You can NAT to and from non-EdgeConnect IP addresses, but NAT functionality does not apply to the EdgeConnect local IP addresses. Also, be aware that NAT between segments is not supported. This is handled by the Inter-Segment SNAT Exceptions feature. To navigate to this feature, enter “Inter-Segment SNAT Exceptions” in the search field at the top of the Orchestrator application. For feature details, see Inter-Segment SNAT Exceptions.

On the NAT tab, click NAT Rules to view NAT rules configured for your network. To view configured NAT pools, click NAT Pools.

You can select a segment from the Segment drop-down list to filter NAT rules in the table. This list includes all segments configured on the Routing Segmentation (VRF) tab. To display all NAT rules for any segment, select All. The Segment filter is available only if routing segmentation is enabled.

To save the contents of the currently displayed table to a CSV file, click Export.

NAT Rules and Pools

To add and configure NAT rules and pools for an appliance, click the edit icon associated with the appliance listed in the table. The NAT dialog box opens.

NAT Rules

Each NAT rule has a directional indicator. Outbound rules are applied to traffic flows initiated from the LAN and destined to the WAN. Inbound rules are applied to traffic flows initiated from the WAN and destined to the LAN. NAT rules include all tunneled traffic, internet-bound traffic, and other passthrough traffic. Return traffic for a given flow does not require an additional rule. You must configure a destination IP address for each rule.

NOTE: You must disable advertisements of local, static routes on the LAN side at the site so that routes are completely unique. In addition, you must configure announce-only static routes for your NAT pools and advertise them to the WAN by allowing the routes in your “Redistribute routes to SD-WAN fabric” route map. For details, see Routes Tab.

To add and configure a NAT rule:

  1. On the NAT dialog box, click Add Rule.

    A row is added to the table.

  2. Complete the following fields as appropriate.

    Field Description
    Priority Order in which the rules are applied. The lower the priority, the higher probability your NAT rule will be applied.
    LAN Interface LAN interface the NAT rule uses. You can select a specific LAN interface or “any”. This is configurable for an outbound NAT rule only.
    Segment Name of the segment to apply to this NAT rule. This field is available only if Routing Segmentation is enabled and if the appliance version supports NAT with segmentation.

    If you select a specific LAN interface for this NAT rule, this field will be automatically populated with the segment for that interface inferred from the Deployment dialog box. In this case, you cannot edit this field.

    You can select a segment for any NAT rule (inbound or outbound) if the LAN interface is set to “any”. For inbound rules, you must specify the destination segment the rule belongs to. For outbound rules, specify the source segment the rule belongs to.

    Deleting a segment from the Routing Segmentation (VRF) tab will automatically remove all associated branch NAT rules.
    Direction Select the direction of traffic:

    Outbound (LAN to Fabric or WAN-side)

    Inbound (Fabric or WAN-side to LAN)
    Protocol Type of protocol used for each NAT. By default, this is set to “any”.
    Source Original source IP address of the IP packet. You can specify a source IP address or “any”.
    Destination IP address of the LAN/WAN interface to which traffic is going. You can specify a destination IP address or “any”.
    Destination Port Original destination port to match in the flow.
    Translated Source Translated source IP address or NAT pool when the NAT rule is applied. You can enter an IP address or select a NAT pool from the field’s drop-down list if you have set up one or more of them.

    NOTE: If you select a NAT pool, both the segment and direction for the NAT rule and the NAT pool must match.
    Translated Destination Translated destination IP address when the NAT rule is applied.
    Translated Destination Port Translated destination port when the NAT rule is applied.
    Enabled Select this check box to enable your customized NAT rule. Direction can be inbound or outbound.
    Comment Comment you can add for the NAT rule.

  3. Click Save.

NOTE: You can create an explicit rule to not NAT by using the same IP subnet in the Source, Destination, Translated Source, and Translated Destination fields. In the example shown below, the first rule causes local traffic within the 192.168.11.0/24 range to not get NATed. The second rule, however, causes any other traffic from the 192.168.11.0/24 network to be source NATed into the NAT pool named “Pool”.

img

NAT Pools

To add and configure a NAT pool:

  1. On the NAT dialog box, click NAT Pools.

    The NAT Pools dialog box opens.

  2. Click Add.

    A row is added to the table.

  3. Complete the following fields as appropriate.

    Field Description
    Name Name of the NAT pool.
    Direction Direction of traffic (Inbound or Outbound).

    NOTE: The direction applied to the NAT rule and the associated translated NAT pool must be the same.
    Segment Name of the segment to apply to this NAT pool. This field is available only if Routing Segmentation is enabled and if the appliance version supports NAT with segmentation.

    NOTE: The segment applied to the NAT rule and the associated translated NAT pool must be the same.
    Subnet Subnet IP address.

    NOTE: You can set up overlapping subnet IP addresses for NAT pools, but the associated segments must be unique (that is, not the same segment name).
    Translate Ports Select this check box to enable source port address translation if the NAT pool is too small to accommodate multiple flows simultaneously with one-to-one IP address translation.

  4. Click Save.