LAN-Side NAT Rules allow you to NAT IP addresses in an unadvertised subnet to IP addresses in an advertised subnet. For both the Profile and Edge levels, within the Device Settings configuration, LAN-side NAT Rules has been introduced for the 3.3.2 release and as an extension, LAN side NAT based on source and destination, same packet source and destination NAT support have been introduced for the 3.4 release.
From the 3.3.2 release, VMware introduced a new LAN-side NAT module to NAT VPN routes on the Edge. The primary use cases are as follows:
- Branch overlapping IP due to M&A
- Hiding the private IP of a branch or data center for security reasons
- Source or Destination NAT for all matched subnets, both 1:1 and Many:1 are supported (3.3.2 release)
- Source NAT based on Destination subnet or Destination NAT based on Source subnet, both 1:1 and Many:1 are supported (3.4 release)
- Source NAT and Destination 1:1 NAT on the same packet (3.4 release)
- LAN-side NAT supports traffic over VCMP tunnel. It does not support underlay traffic.
- Support for "Many:1" and "1:1" (e.g. /24 to /24) Source and Destination NAT.
- If multiple rules are configured, only the first matched rule is executed.
- LAN-side NAT is done before route or flow lookup. To match traffic in the business profile, users must use the NATed IP.
- By default, NATed IP are not advertised from the Edge. Therefore, make sure to add the Static Route for the NATed IP and advertise to the Overlay.
- Configurations in 3.3.2 will be carried over, no need to reconfigure upon 3.4 upgrade.
Procedure
Note: If the users want to configure the default rule, “any” they must specify the IP address must be all zeros and the prefix must be zero as well: 0.0.0.0/0.
- In the SD-WAN Service of the Enterprise Portal, go to Configure > Profiles.
- Select the appropriate Profile by clicking the check box next to the Profile Name.
- If not already selected, click the Device tab link.
- Scroll down to the Routing & NAT.
- Open the LAN-Side NAT Rules area.
- Click +ADD to add a NAT Source or Destination.
- In the LAN-Side NAT Rules area, complete the following for the NAT Source or Destination section: (See the table below for a description of the fields in the steps below).
- Enter an address for the Inside Address text box.
- Enter an address for the Outside Address text box.
- Enter the Source Route in the appropriate text box.
- Enter the Destination Route in the appropriate text box.
- Type a description for the rule in the Description textbox (optional).
- In the LAN-side NAT Rules area, complete the following for NAT Source and Destination: (See the table below for a description of the fields in the steps below).
- For the Source type, enter the Inside Address and the Outside Address in the appropriate text boxes.
- For the Destination type, enter the Inside Address and the Outside Address in the appropriate text boxes.
- Type a description for the rule in the Description textbox (optional).
LAN-side NAT Rule | Type | Description |
---|---|---|
Type drop-down menu | Select either Source or Destination | Determine whether this NAT rule should be applied on the source or destination IP address of user traffic. |
Inside Address text box | IPv4 address/prefix, Prefix must be 1-32 | The "inside" or "before NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32). |
Outside Address text box | IPv4 address/prefix, Prefix must be 1-32 | The "outside" or "after NAT" IP address (if prefix is 32) or subnet (if prefix is less than 32). |
Source Route text box | - Optional - IPv4 address/prefix - Prefix must be 1-32 - Default: any |
For destination NAT, specify source IP/subnet as match criteria. Only valid if the type is “Destination.” |
Destination Route text box | - Optional - IPv4 address/prefix - Prefix must be 1-32 - Default: any |
For source NAT, specify destination IP/subnet as match criteria. Only valid if the type is “Source.” |
Description text box | Text | Custom text box to describe the NAT rule. |