NAT with SD-WAN explained with Case study

NAT with SD-WAN explained with Case study

book

Article ID: CTX232261

calendar_today

Updated On:

Description

Assistance required with NAT configuration.

Instructions

Following conceptual considerations should be made before deploying NAT on a SD-WAN appliance:

Connections can get originated in either inside -> outside (or) outside -> inside directions. When NAT rule is created, it gets applied for both directions. Depending on the NAT rule type (inbound/outbound), the parameters we consider for matching changes.
 
In the following configuration (pasted in the screenshot):
  1. When connection is initiated from inside to outside, Packet has to match following conditions to get NAT policy applied:
    1. source service = Local and service name = LAN
    2. source IP address = 192.168.10.9
    3. source firewall zone = FIC (inside zone)
  2. When connection is initiated from outside to inside, Packet has to match following conditions to get NAT policy applied:
    1. source firewall zone = Default_LAN_Zone (outside zone)
    2. destination IP address = 10.28.115.81
Note: After NAT policy is applied destination service name must be LAN else packet will be dropped.
 
The directions in NAT type are with respective to SD-WAN appliance.
  • If NAT has to be applied when connection is entering to the appliance then, it is Inbound NAT. In this case, Firewall filters are applied on translated/outside IP addresses.
  • If NAT has to be applied when connection is leaving the appliance then, it is Outbound NAT. In this case, Firewall filters are applied on actual IP addresses.

Here is a sample topology where Dynamic NAT needs to be performed to the traffic entering Branch-1 destined to R2:

User-added image 

The part highlighted in Yellow is my translation path, From R8(intf ip 11.11.11.8/24) to Branch SD-WAN is the incoming traffic Service type local, firewall zone Default and exit interface (G3-B1-WAN-2, via a static route pointing to R2) service name ‘G3-B1-LAN-WAN’ and below is my policy(here i mean to translate :

User-added image

There is a static route on Branch pointing to R2 with exit interface as G3-B1-WAN2(wan link 2):

User-added image



I generate the traffic from R8 to R2’s loopback and we see the translation taking place on R8:

User-added image


On the Branch SDWAN we see the translation happening as shown in the below screenshot, located under Monitoring>>Firewall:

User-added image

 

Issue/Introduction

This document covers the details of configuring NAT with a sample configuration.
Powered by Wolken Software