Reverse Network Address Translation Behavior in NetScaler Appliance
Article ID: CTX122909
Updated On:
Description
This article describes the behavior of Reverse Network Address Translation (RNAT) in a NetScaler appliance.
With RNAT, the NetScaler appliance replaces the source IP addresses in the network packets generated by hosts in the configured subnet with the configured, NAT IP addresses. Typically, RNAT is used to allow servers configured with private non-routable IP addresses to initiate connections to the Internet, but RNAT also affects network traffic in other ways so this should be taken into account.
Environment
Consider the following sample network configuration. A company is assigned the public IP address 1.1.1.0/24, and they use this network for Internet-facing IP addresses. They also use the private IP address ranges 192.168.2.0/24 and 172.16.0.0/24. Hosts on the 192.168.2.0/24 and 172.16.0.0/24 networks have the NetScaler SNIP addresses configured as the default gateway.
Sample Configurations
In the following simplified configuration examples, see the tables for the resulting behavior.
Configuration
set rnat 192.168.2.0 255.255.255.0 -natip 1.1.1.20
Result
|
Source |
Destination |
RNAT Applied |
RNAT IP |
|
192.168.2.20 |
2.2.2.2 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
172.16.0.30 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
1.1.1.50 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
192.168.2.21 |
No |
None |
|
192.168.2.20 |
192.168.2.10 |
No |
None |
|
172.16.0.30 |
Any |
No |
None |
|
2.2.2.2 |
Any |
No |
None |
Configuration
set rnat 192.168.2.0 255.255.255.0 -natip 1.1.1.20
set rnat 172.16.0.0 255.255.255.0 -natip 1.1.1.21
Result
|
Source |
Destination |
RNAT Applied |
RNAT IP |
|
192.168.2.20 |
2.2.2.2 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
172.16.0.30 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
1.1.1.50 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
192.168.2.21 |
No |
None |
|
192.168.2.20 |
192.168.2.10 |
No |
None |
|
172.16.0.30 |
2.2.2.2 |
Yes |
1.1.1.21 |
|
172.16.0.30 |
172.16.0.30 |
No |
None |
|
172.16.0.30 |
1.1.1.50 |
Yes |
1.1.1.21 |
|
172.16.0.30 |
192.168.2.10 |
Yes |
1.1.1.21 |
|
2.2.2.2 |
Any |
No |
None |
Configuration
add ns acl RNAT_ACL_1 ALLOW -srcIP = 192.168.2.20 -destip 192.168.2.10
apply ns acls
set rnat RNAT_ACL_1 -natIP 192.168.2.1
Result
|
Source |
Destination |
RNAT Applied |
RNAT IP |
|
192.168.2.20 |
2.2.2.2 |
No |
None |
|
192.168.2.20 |
172.16.0.30 |
No |
None |
|
192.168.2.20 |
1.1.1.50 |
No |
None |
|
192.168.2.20 |
192.168.2.21 |
No |
None |
|
192.168.2.20 |
192.168.2.10 |
Yes |
192.168.2.1 |
|
172.16.0.30 |
2.2.2.2 |
No |
None |
|
172.16.0.30 |
172.16.0.30 |
No |
None |
|
172.16.0.30 |
1.1.1.50 |
No |
None |
|
172.16.0.30 |
192.168.2.10 |
No |
None |
|
2.2.2.2 |
Any |
No |
None |
Configuration
add ns acl RNAT_ACL_1 ALLOW -srcIP = 192.168.2.0-192.168.2.254 -destip 0.0.0.0-172.16.0.0
add ns acl RNAT_ACL_2 ALLOW -srcIP = 192.168.2.0-192.168.2.254 -destip 172.17.0.0-*
add ns acl RNAT_ACL_3 ALLOW -srcIP = 172.16.0.30 -destip 0.0.0.0-192.168.2.0
add ns acl RNAT_ACL_4 ALLOW -srcIP = 172.16.0.30 -destip 192.168.3.0-*
apply ns acls
set rnat RNAT_ACL _1-natIP 1.1.1.20
set rnat RNAT_ACL _2-natIP 1.1.1.20
set rnat RNAT_ACL _3-natIP 1.1.1.21
set rnat RNAT_ACL _4-natIP 1.1.1.21
Result
|
Source |
Destination |
RNAT Applied |
RNAT IP |
|
192.168.2.20 |
2.2.2.2 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
172.16.0.30 |
No |
None |
|
192.168.2.20 |
1.1.1.50 |
Yes |
1.1.1.20 |
|
192.168.2.20 |
192.168.2.21 |
No |
None |
|
192.168.2.20 |
192.168.2.10 |
Yes |
1.1.1.20 |
|
172.16.0.30 |
2.2.2.2 |
Yes |
1.1.1.21 |
|
172.16.0.30 |
172.16.0.30 |
No |
None |
|
172.16.0.30 |
1.1.1.50 |
Yes |
1.1.1.21 |
|
172.16.0.30 |
192.168.2.10 |
No |
None |
|
2.2.2.2 |
Any |
No |
None |
Some Important Points
-
A BRIDGE ACL can cause the NetScaler appliance to bypass the RNAT rules.
-
An RNAT rule does take precedence over the normal NAT behavior of a NetScaler appliance when accessing a virtual server. For example;
- The client is 2.2.2.2, the virtual IP address is 1.1.1.50, and the server is 192.168.2.20. The virtual IP address has the real server bound to it.
- When Use Source IP (USIP) is set to OFF in a NetScaler appliance, and the client connects to the virtual IP address, the server sees the SNIP of the appliance as the source IP address in the connection.
- When USIP is set to ON in the appliance and the client connects to the virtual IP address, the server sees the actual client IP address as the source IP address in the connection.
- When USIP is set to either ON or OFF in the appliance, and there is an RNAT configuration that matches the source IP of the client (whether using ACLs or not), when the client connects to the virtual IP address, the server sees the RNAT IP address as the source IP address in the connection.
-
You can also use a virtual IP address as the RNAT IP address.
As you can see, the NetScaler RNAT configurations are very flexible and can be configured in many different ways, so it is important to know the implications of the RNAT configurations.
Additional Resources
CTX135604 - Reverse Network Address Translation Does Not Work with Intranet IP Addresses
Issue/Introduction
