SD-WAN DIA - NAT-Type Interface , Pool , Loopback

**Hamid** · ‎05-11-2024

Hi everyone,

Currently, I've been using the Interface NAT type for Direct Internet Access (DIA) across multiple networks.

However, I recently came across a Cisco article (Below link) suggesting the utilization of a Loopback interface for DIA instead. I'm a bit confused about this approach and would appreciate it if someone could explain to me how I can implement and configure the loopback interface for DIA.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book-xe-sdwan/configure-nat.html

Kanan Huseynli · ‎05-11-2024

Hi,

could you point what is exactly you want to highlight from the doc? Basically, NAT using loopback is supported as you show in picture (which is part of interface template). You simple enable NAT with loopback and traffic will be overloaded (i.e PAT) using loopback interface IP instead of interface IP.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

**Hamid** · ‎05-12-2024

I'm not convinced why I should use a Loopback interface instead of a Physical interface. Can you please provide an example of a situation in which I can use a Loopback interface for Direct Internet Access (DIA)?

Kanan Huseynli · ‎05-12-2024

Hi,

this is just possibility of different options. There is no strict preference between physical and loopback usage. For example, for better security you may not want to NAT overload user traffic to interface IP but to another IP from the loopback.

One more example, you have private IP based interconnection with IPs and loopback NAT (where is public IP) is essential to translate users' IPs to public IP .

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

balaji.bandi · ‎05-12-2024

That is one of the option available for you to use it, it is not mandatory to use loopback,

From Cisco IOS XE Catalyst SD-WAN Release 17.14.1a, you can configure multiple NAT types for an interface.

You should not dependent on any physical interface for NAT, so you can use loopback

check the usecase mentioned your document ""Multiple NAT DIA Methods on an Interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dijix1990 · ‎09-09-2025

It's helpful

Vpn 1 - 172.25.1.0/24 via nat dia overload (isp1 and isp2 round robin)

Vpn 2 - 172.25.2.0/24 via nat dia pool overload (isp1 and isp2 round robin)

interface GigabitEthernet0/0/1.10
  encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0/24
 no ip redirects
 no ip proxy-arp
 ip nat outside
end

interface GigabitEthernet0/0/1.20
  encapsulation dot1Q 10
 ip address 20.20.20.1 255.255.255.0/24
 no ip redirects
 no ip proxy-arp
 ip nat outside
end

ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/1.10
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/1.20

ip nat route vrf 1 0.0.0.0 0.0.0.0 global
ip nat route vrf 2 0.0.0.0 0.0.0.0 global

ip nat pool natpool1 10.10.10.10 10.10.10.10 prefix-length 24 
ip nat pool natpool1 20.20.20.20 20.20.20.20 prefix-length 24 
ip nat inside source list dia-list pool natpool1 overload match-interface GigabitEthernet0/0/1.10
ip nat inside source list dia-list pool natpool1 overload match-interface GigabitEthernet0/0/1.20

 vpn-list VPN2
  sequence 1
   match
    source-data-prefix-list wifi_prefixes
   action accept
    count wifi_nat_724726910
    nat use-vpn     0
    no nat fallback
    nat source-dia-pool 1 2
    no nat bypass