VPF NAT

This recipe uses VPF NAT to provide translation for traffic passing through the TNSR HA cluster.

Outbound NAT translates LAN addresses to an external address, but in this case the external address is the VRRP IP address. This is part of providing seamless failover to the other HA node. Since the state data will be identical on both nodes, client sessions can remain active through either node.

Create NAT Ruleset

The NAT ruleset is the same for both nodes:

tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# description NAT out WAN
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# description NAT from LAN prefix using VRRP
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.28.0.0/24
tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.228/32
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
tnsr(config)#

Activate NAT Ruleset

Now apply that ruleset to the WAN interface on both nodes:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
tnsr(config-vpf-option)# exit
tnsr(config)#