Outbound NAT/NAPT with Separate Addresses for Internal NetworksΒΆ
This example utilizes a separate external address for different internal network segments with a catchall for other local networks. Using separate external addresses allows traffic from one internal segment to be distinguished from another by remote hosts.
Tip
This can be useful for Guest/BYOD type networks, so if a user connects a compromised device, not only can it be isolated internally from other segments, but if it causes enough trouble for the public address to be blocked remotely, then that block does not also affect the LAN or other internal segments.
In this example the internal networks are all under 10.30.0.0/16, which is
split among several interfaces, VPNs, internal routing, etc.
The LAN subnet is 10.30.0.0/24 and it will use 203.0.113.231 for NAT. A
guest network is isolated under 10.30.1.0/24 and it will use
203.0.113.232 for NAT. Anything else local will use the IP address already
configured on the WAN interface for NAT (203.0.113.30).
First, add the extra IP addresses to the WAN interface:
tnsr(config)# int WAN
tnsr(config-interface)# ip address 203.0.113.231/24
tnsr(config-interface)# ip address 203.0.113.232/24
tnsr(config-interface)# exit
Now create a NAT rule for only the LAN subnet:
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 100
tnsr(config-vpf-nat-rule)# description NAT from LAN
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.30.0.0/24
tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.231/32
tnsr(config-vpf-nat-rule)# exit
Tip
This example performs different NAT operations based on the source
(from). The same type of filtering and separation could also be made
based on the destination (to), a combination of both, or even for
specific protocols and ports.
Next, create a similar rule for the Guest network:
tnsr(config-vpf-nat-ruleset)# rule 110
tnsr(config-vpf-nat-rule)# description NAT from Guests
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.30.1.0/24
tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.232/32
tnsr(config-vpf-nat-rule)# exit
Finally, add the catchall rule to NAT any other traffic from local networks. Use a much higher sequence number to leave space for additional rules in the future.
Note
Do not use nat-interface WAN in the catchall as that will utilize all
IP addresses on the WAN interface for NAT, including the newly added IP
addresses!
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# description NAT from Other Local IPv4 Networks
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# from ipv4-prefix 10.30.0.0/16
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.30/32
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit