Cisco SD-WAN NAT – PART I

written by: Ehsan Emad
Download PDF version

In this article, I want to explain SD-WAN NAT feature.

A vEdge cloud router can play a NAT role. It can do the natting both on the transport side (VPN 0) and on the service side (VPN 1 for example).

If we deploy NAT in the transport side, NAT functionality allows traffic from local host to move directly to the internet. We can do port forwarding or we can do dynamic PAT.

The NAT software performs both address and port translation.Cisco SD-WAN nat software supports 64,0000 nat flows.

In this scenario, I want to do dynamic PAT on the transport side.

To achieve this goal, we need to do two critical steps.

  1. Enable NAT on an interface that faces public internet in VPN 0 (in our scenario its ge0/1)

  2. Direct traffic from other VPN like VPN 1 to go to the internet (public), we need to have a route to VPN 0

In the last step, we need to do some verification in vmanage.

sd-wan

Let's do configuration

In my scenario, I am using vManage to do the configuration.

First, we will go to "templates" menu.

sd-wan-template

The next step is to enable NAT on VPN0, under interface facing the public internet.

sd-wan-transport-vpn0

Now under interface, we will activate the nat.

sd-want-nat-config-

Let's do the second step.

In this step, we have to add a route in service side point to VPN 0.

sd-wan-step2

We go to VPN 1(in our scenario service VPN is 1) template.

sd-wan-add-route-vpn

Note: remember to choose interesting traffic for NAT

sd-wan-route-add

Now the ping from service side (CSR router ) is going through internet.

sd-wan-nat-verification1

For vManage verification follow the steps:

sd-wan-verification-vmanage

Now I do another ping from loopback source to 8.8.8.8:

sd-wan-vmanage-filter

As you can see, real IP address is shown in vmanage and the configuration is verified.

sd-wan-vmanage-verify

I hope you enjoy the article.

To be continued...

11444
1
1
Leave your comment
lavesh kumar
very informative blog
4 years ago