LAN-Side NAT Rules allow you to NAT IP addresses in an unadvertised subnet to IP addresses in an advertised subnet. For both the Profile and Edge levels, within the Device Settings configuration, LAN-side NAT Rules has been introduced for the 3.3.2 release and as an extension, LAN side NAT based on source and destination, same packet source and destination NAT support have been introduced for the 3.4 release.

From the 3.3.2 release, VMware introduced a new LAN-side NAT module to NAT VPN routes on the Edge. The primary use cases are as follows:

  • Branch overlapping IP due to M&A
  • Hiding the private IP of a branch or data center for security reasons
In the 3.4 release, additional configuration fields are introduced to address additional use cases. Below is a high-level breakdown of LAN-side NAT support in different releases:
  • Source or Destination NAT for all matched subnets, both 1:1 and Many:1 are supported (3.3.2 release)
  • Source NAT based on Destination subnet or Destination NAT based on Source subnet, both 1:1 and Many:1 are supported (3.4 release)
  • Source NAT and Destination 1:1 NAT on the same packet (3.4 release)
Note:
  • LAN-side NAT supports traffic over VCMP tunnel. It does not support underlay traffic.
  • Support for "Many:1" and "1:1" (e.g. /24 to /24) Source and Destination NAT​.
  • If multiple rules are configured, only the first matched rule is executed​.
  • LAN-side NAT is done before route or flow lookup. To match traffic in the business profile, users must use the NATed IP.
  • By default, NATed IP are not advertised from the Edge. Therefore, make sure to add the Static Route for the NATed IP and advertise to the Overlay.​
  • Configurations in 3.3.2 will be carried over, no need to reconfigure upon 3.4 upgrade.​

Procedure

Note: If the users want to configure the default rule, “any” they must specify the IP address must be all zeros and the prefix must be zero as well: 0.0.0.0/0.

To apply LAN-Side NAT Rules at the Profile Level:
  1. In the SD-WAN Service of the Enterprise Portal, go to Configure > Profiles.
  2. Select the appropriate Profile by clicking the check box next to the Profile Name.
  3. If not already selected, click the Device tab link.
  4. Scroll down to the Routing & NAT.
  5. Open the LAN-Side NAT Rules area.
  6. Click +ADD to add a NAT Source or Destination.
  7. In the LAN-Side NAT Rules area, complete the following for the NAT Source or Destination section: (See the table below for a description of the fields in the steps below).
    1. Enter an address for the Inside Address text box.
    2. Enter an address for the Outside Address text box.
    3. Enter the Source Route in the appropriate text box.
    4. Enter the Destination Route in the appropriate text box.
    5. Type a description for the rule in the Description textbox (optional).
  8. In the LAN-side NAT Rules area, complete the following for NAT Source and Destination: (See the table below for a description of the fields in the steps below).
    1. For the Source type, enter the Inside Address and the Outside Address in the appropriate text boxes.
    2. For the Destination type, enter the Inside Address and the Outside Address in the appropriate text boxes.
    3. Type a description for the rule in the Description textbox (optional).
LAN-side NAT Rule Type Description
Type drop-down menu Select either Source or Destination Determine whether this NAT rule should be applied on the source or destination IP address of user traffic.
Inside Address text box IPv4 address/prefix, Prefix must be 1-32 The "inside" or "before NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32).
Outside Address text box IPv4 address/prefix, Prefix must be 1-32 The "outside" or "after NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32).
Source Route text box

- Optional

- IPv4 address/prefix

- Prefix must be 1-32

- Default: any

 For destination NAT, specify source IP/subnet as match criteria. Only valid if the type is “Destination.”
Destination Route text box

- Optional

- IPv4 address/prefix

- Prefix must be 1-32

- Default: any

 For source NAT, specify destination IP/subnet as match criteria. Only valid if the type is “Source.”
Description text box Text Custom text box to describe the NAT rule.
Note: Important: If the Inside Prefix is less than the Outside Prefix, support Many:1 NAT in the LAN to WAN direction and 1:1 NAT in the WAN to LAN direction. For example, if the Inside Address = 10.0.5.0/24, Outside Address = 192.168.1.25/32 and type = source, for sessions from LAN to WAN with source IP matching ‘Inside Address,’ 10.0.5.1 will be translated to 192.168.1.25. For sessions from WAN to LAN with destination IP matching ‘Outside Address,’ 192.168.1.25 will be translated to 10.0.5.25. Similarly, if the Inside Prefix is greater than Outside Prefix, support Many:1 NAT in the WAN to LAN direction and 1:1 NAT in the LAN to WAN direction. The NAT'ed IP are not automatically advertised, make sure a static route for the NAT'ed IP should be configured and the next hop should be the LAN next hop IP of the source subnet.