LAN-Side NAT Rules allow you to NAT IP addresses in an unadvertised subnet to IP addresses in an advertised subnet. For both the Profile and Edge levels, within the Device Settings configuration, LAN-side NAT Rules has been introduced for the 3.3.2 release.

Before you begin:

Enable LAN-side NAT Rules (Go to Configure Customer > Customer Capabilities and check the Enable LAN-side NAT Rules checkbox.
Note:
  • LAN-side NAT Rules can be configured at the Profile level or the Edge level. To configure at the Edge level, make sure the Enable Edge Override checkbox is checked.
  • LAN-side NAT supports traffic over VCMP tunnel. It does not support underlay traffic.

Use Case #1:

In this scenario, a third-party has assigned multiple non-overlapping subnets to a customer's site. The server in the customer's data center recognizes traffic from this third-party by a single IP address at any given site.

The VeloCloud configuration required for Use Case #1 is listed below:
  • VLAN1 = 192.168.1.0/24 - Do not advertise
  • Static route 192.168.5.0/24 - Do not advertise
  • Static route 192.168.7.0/24 - Do not advertise
  • Static route 57.24.12.0/24 - Do not advertise
  • Static route 172.16.24.0/24 - Advertise
  • New rule: LAN-side NAT 192.168.1.0/24 -> 172.16.24.4/32
Because the NAT rule is a single IP, TCP and UDP traffic will be PAT'd. So in this example, 192.168.1.50 becomes 172.26.24.4 with an ephemeral source port for TCP/UDP traffic, ICMP traffic becomes 172.26.24.4 with a custom ICMP ID for reverse lookup, and all other traffic will be dropped.

Use Case #2:

In this scenario, the LAN subnet is 192.168.1.0/24. However, this is an overlapping subnet with other sites. A unique subnet of equal size, 172.16.24.0/24 has been assigned to use for VPN communication at this site. Traffic from the PC must be NAT'd on the Edge prior to doing the route lookup, otherwise the source route will match 192.168.1.0/24 which is not advertised from this Edge and traffic will drop.

The VeloCloud configuration required for Use Case #2 is listed below:
  • VLAN1 = 192.168.1.0/24 - Do not advertise
  • Static route 172.16.24.0/24 - Advertise
  • New rule: LAN-side NAT 192.168.1.0/24 -> 172.16.24.0/24
Because the subnets match in size, all bits matching the subnet mask will be NAT'd. So in this example, 192.168.1.50 becomes 172.16.24.50.
To apply LAN-Side NAT Rules:
  1. From the VCO navigational panel, go to Configure > Edges.
  2. In the Device Settings tab screen, scroll down to the LAN-Side NAT Rules area.
  3. In the LAN-Side NAT Rules area, complete the following: (See the table below and the Use Cases described above for more information about the fields in the LAN-Side NAT Rules area).
    1. Enter an address for the Inside Address textbox.
    2. Enter an address for the Outside Address textbox.
    3. Choose either Source or Destination from the Type drop-down menu.
    4. Type a description for the rule in the Description textbox (optional).
    LAN-side NAT Rules (Filed Name) Type Description
    Inside Address text box IPv4 address/prefix, Prefix must be 1-32 The "inside" or "before NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32).
    Outside Address text box IPv4 address/prefix, Prefix must be 1-32 The "outside" or "after NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32).
    Type drop-down menu Select either Source or Destination. Determine whether this NAT rule should be applied on the source or destination IP address of user traffic.
    Description text box Text Custom text box to describe the NAT rule.