Solved: Re: SD-wan Intra VPN service side NAT

mikhailov.ivan · ‎04-19-2023

Hello colleagues! I would like to ask about the problem which I've got several month ago and to be honest , I've already got the answer from TAC but wanted to ask community , maybe somebody has found a workaround. The issue: There is an industrial machine which has some limitations for incoming connections, it can accept connection from only one IP address and you have to configure this address only via hardware panel on the machine , so changing this IP is very complicated and long procedure. Guys asked me to help them to pass this problem somehow and obvious solution - srcNAT and I said "sure because we bought the modernest Cisco SD-WAN appliances C8300" but it turned out than NO. The design is (let's consider the simplest case) one C8300 , Gi0/0/0 is ISP public port for VPN0 NAT DIA (let it be 3.3.3.3) and Gi0/0/1 is like a downlink for service VPNs (VPN 10 and VPN 20 for instance), it's on sub interfaces and connected to a switch , let is be C9300. We have the machine in the VPN10 with IP 10.224.3.6/24 and we have a pool of servers in the VPN20 192.168.8.0/24 which will establish this connection to the machine. So our aim is doing the srcNAT where all addresses from the subnet 192.168.8.0/24 who will send any packages toward the VPN10 10.224.3.6 will be modified with src IP 192.168.8.1 for instance. Sounds easy for any legacy equipment (like mikrotik for 50$) ,right ? But TAC said that it's impossible. We tried together based on the https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book-xe-sdwan/configure-nat.html .Maybe someone caught the same problem and have any ideas how to do this like more elegant ? without any IOx VM or even dedicated extra VM for NAT. I can share a schema if needed.

Let's imagine that all images versions have been upgraded to the last ver.

Thanks!

Kanan Huseynli · ‎04-20-2023

In your case: Add CLI-template to device, CLI template should contain:

interface GigabitEthernet0/0/1.10
ip nat outside

In VRF-VPN template create NAT pool:
Pool number 1
Start address: 10.224.3.100 (assuming this address is free)
End address: 10.224.3.100
Prefix-length: 24
Direction: inside
Overload: enabled

In centralized data policy for that VPN match source:192.168.8.0/24 destination:10.224.3.6/32 and action natpool1

It will work. When traffic comes from 192.168.8.0/24 subnet and goes to host 10.224.3.6, router will do source nat to natpool1 which is one IP 10.224.3.100. That's all.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

dijix1990 · ‎04-19-2023

Can you try this an example?

https://recurseit.com/2021/03/05/cisco-sd-wan-service-side-nat/

mikhailov.ivan · ‎04-19-2023

Yes, I think I've tried something like this example, but nothing happened. And one more detail which I could miss : let's also skip the part where the source server and the machine are in different VPNs(VRFs), let's make it simpler and put both in the same VPN10 , but on 2 different sub interfaces like gi0/0/1.10 and gi0/0/1.20 because I've heard that it's also impossible to provide service side NAT between 2 VRFs.

Kanan Huseynli · ‎04-19-2023

Hi,

it is supported within the same VRF. Feature is called "Intra-VPN Service-Side NAT Support". It is described in this section:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book-xe-sdwan/configure-nat.html#config-examples-intra-vpn-service-side-nat

Workflow is simple actually:

1) Define "ip nat outside" on egress interface (gi0/0/1.20 in your case). This should be done using CLI template.
2) Create natpool in service VPN template. This can be done in VPN (service VPN, not VPN0) feature template. Remember natpool number. In your case, your pool should contain IP which is allowed by industrial machine.

3) Create centralized data policy (Traffic Data) which matches respective traffic and action is "Natpool" with respective number.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan · ‎04-20-2023

Yep, I've seen this article and as far as I remember we tried to do the same with TAC and didn't get a positive result. So if we have a machine (destination host) in the gi0/0/1.10 subinterface and with IP 10.224.3.6/24 and the source subnet in the gi0/0/1.20 and 192.168.8.0/24 in the same VPN10 and I would like to do srcNAT from 192.168.8.0/24 to the host 10.224.3.6 (or the whole subnet) with src 192.168.8.1 which steps should I do?

Thanks! Appreciate your help

Kanan Huseynli · ‎04-20-2023

Hi,

it is unclear. Do you want to to sourceNAT from 192.168.8.0/24 to IP of 192.168.8.1?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan · ‎04-20-2023

almost, I would like to have all packets from the network 192.168.8.0/24 for the host 10.224.3.6 modified by srcNAT and have src IP 192.168.8.1 (because we have this IP on the interface Gi0/0/1.20) , So just simple srcNAT from one subnet to another.

Kanan Huseynli · ‎04-20-2023

It is not so simple, because by this IP design you want to NAT to the IP from source subnet. You should NAT to different IP for proper operations or to the IP from outside (egress interface) subnet.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan · ‎04-20-2023

I got your point, I think it's ok too if the srcIP is from the outside interface. But I compare with linux iptables where you do Masqurade rule by the IP address from the source interface or subnet.

mikhailov.ivan · ‎04-20-2023

Let me take a schema , so maybe we could do src NAT with the 10.224.3.1 IP, it's ok too. Again the machine have a limitation that it can allow connections only from a one IP (doesn't matter which one) and we need to provide connectivity from the pool of servers (can be any possible IP from the pool 192.168.8.0/24). With a Linux machine in general it should look like this

"IF Packet Source is 192.168.8.0/24 AND Destination IP is 10.224.3.6 DO srcNAT 192.168.8.1" Something like this. Or based on interfaces "IF Packet Source is Gi0/0/1.20 AND Destination is Gi0/0/1.10 DO srcNAT 192.168.8.1". But I am struggling how to do this in sd-wan without a hard workarounds.

Kanan Huseynli · ‎04-20-2023

In your case: Add CLI-template to device, CLI template should contain:

interface GigabitEthernet0/0/1.10
ip nat outside

In VRF-VPN template create NAT pool:
Pool number 1
Start address: 10.224.3.100 (assuming this address is free)
End address: 10.224.3.100
Prefix-length: 24
Direction: inside
Overload: enabled

In centralized data policy for that VPN match source:192.168.8.0/24 destination:10.224.3.6/32 and action natpool1

It will work. When traffic comes from 192.168.8.0/24 subnet and goes to host 10.224.3.6, router will do source nat to natpool1 which is one IP 10.224.3.100. That's all.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan · ‎04-20-2023

Thanks mate! It's strange that when I raised a TAC ticket they didn't recommend this config.

Kanan Huseynli · ‎04-20-2023

No problem, please check and inform.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.