Showing results for 
Search instead for 
Did you mean: 

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.


NAT exception for direct internet access (SD-WAN)



I have one general question for design i'm working on. I'm planning to have Overlay and CE hosted on same hardware - cisco ISR routers. So I need to have overlay network with  terminated on same device as ISP BGP peering are configured  on. 


This could be solved by DIA functionality, but problem is, that this will enable NAT on transit interfaces and I need to have some IP addresses not NATed. I have some public segment at the site too and can't NAT it. Is there some possibility how to make exception for NAT if systems are already on public routable IP addresses? 


Thank you. 



Cisco Employee

Hi Pavel,


Not sure I got your problem, can you please elaborate on it? What kind of problem do you expect? Your service side is in dedicated VRF, transport side (peering with ISP) in in global routing table. Your DIA is for traffic from service vpn going to outside only.


Hello Ekhabaro, 


Thank you for your reply. Generally I want to use this setup in our main location to have Internet breakout (CE) on same devices as overlay network. I do not see any problem in Overlay network to have communicaotin not NAted to all other locations. Also to have NAT for local LAN users when they will go to internet. 


Problem is that I have also public DMZ range in that location and need to have this subnets publicly accessible from internet and at the same time accessible by other locations in SD-WAN through the tunnels. My understanding is that if some network is part of service side VPN and you want to enable DIA, you need to enable also NAT for subnet which could use DIA as the only way how to get to internet is through trasnport VPN0 which is natting that traffic. 

Understood it based on:


Please if my undestanding is not correct explain it. My only point is if I will be able to have public IP range in datacenter  accessible from SD-WAN locations and allow also access to internet from that segment directly with not NAT in place. I will be using cEdge as internet router and SD-WAN router at the same time.


Thank you