vEdge Router as NAT Device
vEdge Router as NAT Device
A vEdge router can also be used as NAT device on both transport and service side of network. Let’s see and understand how vEdge routers work if we configure NAT on transport or on Service side individually.
NAT on vEdge Router on Transport Side:
In order to provide internet resources access from local site, NAT is configured on Transport side performing both address and port translation (NAPT).
Let’s see the below figure and understand the concepts and how it works
Here vEdge router is configured NAT, so vEdge router will split its traffic in to two ways or think as separate tunnel. Green Traffic will use overlay network and will traverse from one vEdge to another vEdge via usual Ipsec tunnel whereas grey traffic is redirected to vEdge NAT device and then out to public network.
NAT on vEdge router perform both address translation and Port translation, and it establish a translation entry between private address and port with Public IP address and Port. Once this is done, NAT device will allow incoming connection from external host to be established with that private address and port only if that private address and port already established a connection to the external host.
Viptela NAT software supports 64000 NAT flows.
To understand this lets see the dig.
vEdge router splits traffic into two flows, one will go to Overlay network and another will go to public network.
vEdge router has two interfaces:
- Interface ge0/1 in local site with VPN 1and its IP address is 10.1.1.0/24.
- Interface ge0/0 in transport cloud and is in VPN 0 (the transport VPN) with IP address is 192.168.1.0/24, with default OMP port number, 12346, for overlay network tunnels.
To configure the vEdge router to act as a NAT device so that some traffic from the router can go directly to a public network, you do three things:
- Enable NAT in the transport VPN (VPN 0) which is on WAN-transport–facing interface ge0/0. All traffic exiting from the vEdge router, going either to other overlay network sites or to a public network, passes through this interface.
- To direct data traffic from other VPNs to exit from the vEdge router directly to a public network, enable NAT in those VPNs or ensure that those VPNs have a route to VPN 0.
- On the vSmart controller, create a centralized data policy the redirects the desired data traffic from the non-transport VPN to VPN 0, and then apply that data policy to the non-transport VPN. In this case, we apply the policy to VPN 1
Once NAT is enabled on the vEdge router, data traffic affected by the centralized data policy (here, the data traffic from VPN 1) is split into two flows:
- Traffic destined for another vEdge router in the overlay network remains in VPN 1, and it travels directly through the IPsec data plane tunnel from the source vEdge router to the destination vEdge router. This traffic never passes through VPN 0, and therefore it is never touched by NAT.
- Traffic destined for the public network passes from VPN 1 to VPN 0, where it is NATed. During the NAT processing, the source IP address is changed from 10.1.1.0/24 to that of ge0/0, 126.96.36.199/24, and the source port is changed to 1234.
Now When NAT is enabled, all the traffic (data and control) through VPN 0 is NATed. The vBond orchestrator learn both public and private IP address of vEdge router and advertise both address to vSmart controller , which in turn vSmart controller advertises these address to all vEdge router in its domain. Now each vEdge router than decide whether to use public IP or Private IP based on below:
- If the vEdge router is located at the same site as the other router (that is, if they are both configured with the same overlay network site ID), it communicates using the private address. Because both routers have the same site ID, they are behind the same NAT, and so their communication channels are already secure.
- If the vEdge route is at a different site, it communicates with the other router using the public address. Then, the NAT functionality on the vEdge router translates the public address to the proper private address.
NAT on vEdge Router on Service Side:
NAT can also be configured on Service Side of routers, so that data traverse the NAT before entering the overlay tunnel. The Service Side NAT performs the NAT to mask IP address of data traffic it receives. Here dynamic NAT and 1:1 static NAT can be configured.
Here in above figure, vEdge router has one NAT interface configured on VPN 1, the interface is natpool2 with IP address 192.168.1.1 and this is IP address each packet IP address is translated to.
Now in order to configure Service Side NAT, so that traffic traverse NAT in VPN 1 before sending to transport tunnel towards destination, following things need to be done:
- Create a NAT pool interface in VPN 1, the service-side VPN. Here, the NAT pool number is 2.
- To direct data traffic from prefixes within VPN 1 to the service-side NAT, create a centralized data policy on the vSmart controller. In the match condition, specify the prefixes to be NATed. In the action condition, set the desired NAT pool, here, natpool 2. Then apply the data policy to the desired site (here, site 500), and apply it to traffic coming from the service side
When there will be match prefix in VPN 1 , will be directed to natpool2 and traffic will be NATed and traffic will be forwarded to destination.