Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
1
Helpful
3
Replies

SD-WAN Controllers on-prem deployment with 1:1 NAT

stephon.a.it
Level 1
Level 1

‎09-15-2025 01:12 PM

I'm working on a deployment and initially setting it up in CML. The controllers are deployed with private IPs and created 1:1 static NAT mappings on the upstream edge router in this case. However, when I point a WAN edge across the Internet transport to the vBond, the vBond connects via its public IP but it advertises the private IP of the vmanage, preventing connectivity. I've tried establishing control connections between the controllers with their public NATted IP but they wont connect. I am however able to ping those same NATted IPs. Anyone have any guidance on the actual configuration of this? I feel like I'm missing a step or something.

 

Thanks

Preview file
72 KB
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-15-2025 01:20 PM

In real environment works as expected. with 1:1 NAT with cedge like Cat 8K IOS XE or ISR Routers.

may be run the debug and check what is wrong?  

for Labbing  i tested all in same Virtual also works.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Torbjørn
VIP
VIP

‎09-15-2025 01:54 PM

Remember that the vBond is a STUN server to achieve NAT traversal, it must have a correct view of private & public IP addresses to be able to delegate the correct IP addresses to WAN Edges. See the following article for more details on this: https://www.networkacademy.io/ccie-enterprise/sdwan/tlocs-and-nat 

You have two options to fix this:

  • Set up hairpin NAT to be able to use the public IP's so that you get correct mappings
  • Move your vBond to a publically routable subnet on your INET connected router

Both will fix your issue but I think option 2 is a lot cleaner.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

MHM Cisco World
VIP
VIP

‎09-15-2025 02:26 PM

1- Vedge will first connect to vbond using it public IP which is config in vedge' 

Do check above step' check connection history

2- check connection' see if vedge learn private or public IP of vsmart and vamange

A- if it learn private IP then you need hairpin NAT in router

What that meaning 

Vsmart and vmanage must use public IP of vbond' this allow vbond to know both private and public IP of vsmart and vmanage

B- if it learn public IP' then there are other issue prevent connect 

MHM

0 Helpful
Customers Also Viewed These Support Documents