Showing results for 
Search instead for 
Did you mean: 

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.


NAT for branch controller connections via central FW

For cEdge routers that are connected to MPLS and need to establish control connections to the Cisco Cloud, these connections will back haul over MPLS and exit onto the internet via centralised hub firewalls.


What NAT solution is recommended at the hub, for example:

  • If 1-2-1 NAT is best practise
    • Are people carving out a new IP block in advance and re-IP’ing WAN interfaces?
    • Creating a NAT rule during each branch office cut-over?
    • Auditing all existing WAN interfaces and prestaging NAT rules?
  • If PAT is used, how many cEdge device can hide behind the same public IP address?

Is there a NAT solution that scales well for this?


Thanks in advance.

Events Top Contributor

I would prefer a design with local internet access, but if that's not possible, then your design is valid. As long as there is connectivity between the routers and the controllers, it shouldn't matter what type of NAT you are using. It should be fine to use PAT.


Routers will form different number of control connections depending on how many transports they have. Normally, unless you restrict it, they form control connections over each transport but only one towards vManage. In my setup, with two vSmarts, for a router with a single transport, 3 control connections are used. For a site with dual transports, 5 control connections are used.


The scaling here for your PAT would be based on the number of available ports. Let's say that you have 65000 ports available and each router needs 4 ports on average, that would mean that you could have over 16000 devices using this single IP, if this IP was dedicated for just this use, and not normal users exiting the internet utilizing that IP address.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

- 1-to-1 is a best practice for controllers if they are behind NAT.

- PAT would work fine.

It is better if you can get an internet connection locally rather back-hauling. The problem with back-haul for control connections is, if you lose connection at HUB, then you will lose visibility for all of your branches.




Thanks for your thoughts.

95% of branch offices will have 1 x MPLS & 1 x DIA, therefore local internet access will be available. However, considering that control connections will still get built of over MPLS, plus also to cope with a DIA failure, then a NAT (or PAT) solution at the hub is still required.

I believe any of the above solutions would work, but still not clear on the best practise.

Content for Community-Ad