Twice NAT¶
“Twice NAT” was a concept in Dataplane NAT which was a shorthand way to combine an external port forward/destination address change with an internal source address change as a connection exits an internal interface. The same result can be achieved with VPF NAT using two separate rules in separate rulesets, one to handle the port forward, one to handle the source change.
Inbound NAT on WAN to forward the port:
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 70
tnsr(config-vpf-nat-rule)# description Twice-NAT for SNMP
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# to ifaddrs WAN
tnsr(config-vpf-nat-rule)# to port 161
tnsr(config-vpf-nat-rule)# nat-prefix 10.30.0.40/32
tnsr(config-vpf-nat-rule)# nat-port 161
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
Outbound NAT on LAN to translate the source:
tnsr(config)# vpf nat ruleset LAN-nat
tnsr(config-vpf-nat-ruleset)# description NAT for LAN
tnsr(config-vpf-nat-ruleset)# rule 20
tnsr(config-vpf-nat-rule)# description Twice-NAT for SNMP
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# to ipv4-prefix 10.30.0.40/32
tnsr(config-vpf-nat-rule)# to port 161
tnsr(config-vpf-nat-rule)# nat-interface LAN
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
Pass traffic matching the rule:
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# rule 70
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# protocol tcp
tnsr(config-vpf-filter-rule)# to ifaddrs WAN
tnsr(config-vpf-filter-rule)# to port 161
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit
Activate NAT rules for both interfaces if they are not already attached:
tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-nat
tnsr(config-vpf-option)# interface LAN nat-ruleset LAN-nat
tnsr(config-vpf-option)# exit