Outbound Network Address and Port Translation (NAPT)¶
These examples perform dynamic source network address and port translation (NAPT) on traffic from the LAN subnet exiting via the WAN interface.
Interface Address¶
This example uses the IP address of the WAN interface itself as the translation address. When configured in this way, VPF will utilize all addresses on the interface. In most cases there will be only one, however. This is useful especially with dynamic WAN addresses, such as when WAN is configured for DHCP.
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# description NAT for WAN
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# description NAT from LAN prefix
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-nat-rule)# nat-interface WAN
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
tnsr(config-vpf-option)# exit
Single External Address¶
This example uses a single hardcoded IP address as the translation address.
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# description NAT for WAN
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# description NAT from LAN prefix
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-nat-rule)# nat-prefix 203.0.113.30/32
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
tnsr(config-vpf-option)# exit
Multiple External Addresses¶
This style of NAT can also utilize multiple static addresses. This is useful when there are many internal clients making outbound connections on many different ports. In busy environments with such large volumes of connections, they can exhaust the available ports on a single external address, so this allows NAT to spread the connections across multiple external addresses to reduce conflict.
First, create a table for the external addresses.
Note
These addresses must either be configured on the external interface, or be a part of a subnet routed to TNSR from an upstream source.
tnsr(config)# vpf table ExternalNAT
tnsr(config-vpf-table)# prefix 203.0.113.230/32
tnsr(config-vpf-table)# prefix 203.0.113.231/32
tnsr(config-vpf-table)# prefix 203.0.113.232/32
tnsr(config-vpf-table)# exit
Now use that table in a NAT rule with nat-table
:
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 172.16.1.0/24
tnsr(config-vpf-nat-rule)# nat-table ExternalNAT
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
This type of NAT can utilize either the ip-hash
or round-robin
algorithm. IP hash attempts to keep connections from an internal client on the
same external address, while round-robin rotates through addresses for each
connection.