VPF NAT Behavior Notes

Before proceeding, there are a few important things to note about the behavior of NAT in VPF:

• VPF processes filtering operations before NAT operations in any direction.

  This means the addresses in packets are the pre-NAT addresses, not the translated addresses. For example: In reference to packets on an external WAN style interface, with outbound NAT the sources are local network addresses. With inbound NAT the destinations are the external network addresses.

• VPF performs NAT on the source address for egress traffic (out direction), and performs NAT on the destination address for ingress traffic (in direction).

• For IPv6 source NAT, VPF only supports prefix translation (npt66), it does not support NAPT/overload style NAT for IPv6 addresses.

• Unlike dataplane NAT, VPF only requires NAT to be configured on egress interfaces. It does not need configured on internal interfaces in most cases.

• TNSR will not automatically respond to ARP and ICMP echo requests (ping) for addresses used in VPF NAT rules. Addresses used in NAT rules must be either routed to TNSR or configured on TNSR interfaces before they can function properly.

  Note

  This is different from dataplane NAT, which automatically responded for NAT pool addresses. Thus, this is a key item to factor into any conversion from dataplane NAT to VPF NAT.