Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
7
Replies

SD-WAN On premise deployment

Go to solution
maguatte.dieng
Level 1
Level 1

‎03-21-2025 08:12 AM - edited ‎04-19-2025 01:25 PM

 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maguatte.dieng
Level 1
Level 1

‎03-21-2025 08:34 AM

the DMZ is a ISR Router not a Firewall . what type of NAT should be applied in this ISR router (WAN Router) ?

 

  • (1) (2) vSmart and vManage point to the vBond public IP address

-NATed public IP address

  • (3) vBond learns interface private and NATed public IP address of vSmart and vManage

-Private is pre-NAT, public is post-NAT

  • (4) vSmart and vManage use NATed public IP addresses for communication.

maguattedieng_0-1742571086238.png

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
maguatte.dieng
Level 1
Level 1

‎03-21-2025 08:34 AM

the DMZ is a ISR Router not a Firewall . what type of NAT should be applied in this ISR router (WAN Router) ?

 

  • (1) (2) vSmart and vManage point to the vBond public IP address

-NATed public IP address

  • (3) vBond learns interface private and NATed public IP address of vSmart and vManage

-Private is pre-NAT, public is post-NAT

  • (4) vSmart and vManage use NATed public IP addresses for communication.

maguattedieng_0-1742571086238.png

 

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP

‎03-21-2025 08:40 AM

Hi,

why does ISP router change destination port? That should be question. It is not logical that destination port is changed (since it is bound to specific application port on remote machine) automatically by ISP router. Looks like your configuration has incorrect lines, check again.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
maguatte.dieng
Level 1
Level 1
In response to Kanan Huseynli

‎03-21-2025 11:10 AM

Below the Nat implemented 

 

maguattedieng_0-1742580507838.png

 

0 Helpful

Go to solution
EminaBrkanic
Level 1
Level 1
In response to maguatte.dieng

‎03-31-2025 09:24 PM

I had the problem with vsmart and ports. Nat was on firewall. 

In your situation, looks like every port is translated to 12348.

Send output form show ip nat transl cmd.

Also, if you want vmange to use vbond publiic IP you need to use public color on the interface.

sent your config.

 

0 Helpful

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎04-01-2025 05:02 AM - edited ‎04-01-2025 05:04 AM

I have a CAT8kv in front of the SDWAN controllers doing NAT so that vmanage/vsmart send to vbond the public IP and, vbond also learns the private and public ip of vsmart and vmanage.   This requires source and destination NAT using VASI interfaces so that packets can traverse NAT inside/outside domains.  This is a lab so 10.64.x.x are private IP and 10.100.x.x are "public" ip for DC1 and 10.200.x.x are "public" IP for DC2.

vrf definition VASI-OUTSIDE
 !
 address-family ipv4
 exit-address-family

interface GigabitEthernet3
 description contrl-complex
 mtu 9216
 ip address 10.64.32.254 255.255.255.0
 ip nat inside
 speed 10000
 no negotiation auto
 ipv6 address 2001:10:64:32::254/64

interface vasileft1
 ip address 10.99.1.1 255.255.255.252
 ip nat outside
 no keepalive
!
interface vasiright1
 vrf forwarding VASI-OUTSIDE
 ip address 10.99.1.2 255.255.255.252
 no keepalive

ip route 10.100.1.0 255.255.255.0 vasileft1 10.99.1.2
ip route 10.200.1.0 255.255.255.0 vasileft1 10.99.1.2
ip route vrf VASI-OUTSIDE 0.0.0.0 0.0.0.0 vasiright1
ip nat inside source static 10.64.32.1 10.100.1.1 no-alias
ip nat inside source static 10.64.32.2 10.100.1.2 no-alias
ip nat inside source static 10.64.32.3 10.100.1.3 no-alias
ip nat inside source static 10.64.32.4 10.100.1.4 no-alias
ip nat inside source static 10.64.32.10 10.100.1.10 no-alias
ip nat inside source static 10.64.32.11 10.100.1.11 no-alias
ip nat inside source static 10.64.32.14 10.100.1.14 no-alias
ip nat inside source static 10.64.64.1 10.200.1.1 no-alias
ip nat inside source static 10.64.64.2 10.200.1.2 no-alias
ip nat inside source static 10.64.64.7 10.200.1.7 no-alias

vbond connections:

vbond_251_1_1# show orchestrator connections
                                                                                     PEER                      PEER                                                                            
         PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                   ORGANIZATION                           
INSTANCE TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           NAME                    UPTIME         
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0        vedge    dtls     11.1.1.78        78          1           192.168.0.247    12346    192.168.0.247    12346   biz-internet     up              Cisco SA Demo - 17404   7:22:11:41     
0        vedge    dtls     11.1.1.79        79          1           192.168.0.246    12406    192.168.0.246    12406   biz-internet     up              Cisco SA Demo - 17404   7:22:12:28     
0        vsmart   dtls     11.2.251.4       251         1           10.64.32.4       12346    10.100.1.4       12346   default          up              Cisco SA Demo - 17404   7:22:11:03     
0        vsmart   dtls     11.2.251.4       251         1           10.64.32.4       12446    10.100.1.4       12446   default          up              Cisco SA Demo - 17404   7:22:11:01     
0        vsmart   dtls     11.2.251.5       251         1           10.64.64.7       12346    10.200.1.7       12346   default          up              Cisco SA Demo - 17404   7:22:10:46     
0        vsmart   dtls     11.2.251.5       251         1           10.64.64.7       12446    10.200.1.7       12446   default          up              Cisco SA Demo - 17404   7:22:10:45     
0        vsmart   dtls     11.2.251.4       251         1           2001:10:64:32::2 12346    2001:10:64:32::2 12346   default          up              Cisco SA Demo - 17404   7:22:11:04     
0        vsmart   dtls     11.2.251.4       251         1           2001:10:64:32::2 12446    2001:10:64:32::2 12446   default          up              Cisco SA Demo - 17404   7:22:11:02     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12346    10.100.1.3       12346   default          up              Cisco SA Demo - 17404   7:22:09:26     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12446    10.100.1.3       12446   default          up              Cisco SA Demo - 17404   7:22:09:28     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12546    10.100.1.3       12546   default          up              Cisco SA Demo - 17404   7:22:09:29     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12646    10.100.1.3       12646   default          up              Cisco SA Demo - 17404   7:22:09:29     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12746    10.100.1.3       12746   default          up              Cisco SA Demo - 17404   7:22:09:16     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12846    10.100.1.3       12846   default          up              Cisco SA Demo - 17404   7:22:09:20     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       12946    10.100.1.3       12946   default          up              Cisco SA Demo - 17404   7:22:09:28     
0        vmanage  dtls     11.2.251.3       251         0           10.64.32.3       13046    10.100.1.3       13046   default          up              Cisco SA Demo - 17404   7:22:09:29

 

0 Helpful

Go to solution
maguatte.dieng
Level 1
Level 1
In response to Dan Frey

‎04-01-2025 07:47 AM

Helo Dan 

Thanks for you answer .I think we have the same design, but I don't understand why I'm not receiving any connections on the vBond while I'm receiving connections on the vManage and vSmart.

Below the Nat that i applied on my ISR 

 

maguattedieng_2-1743518486905.png

vManage is attempting the following UDP connection to vbond.

 

11:53:47.383251 IP 172.16.11.12.12546 > 102.164.141.211.12346: UDP, length 165

11:53:47.428141 IP 172.16.11.12.12746 > 102.164.141.211.12346: UDP, length 165

11:53:47.479778 IP 172.16.11.12.13046 > 102.164.141.211.12346: UDP, length 165

11:53:47.680494 IP 172.16.11.12.12446 > 102.164.141.211.12346: UDP, length 165

 

When we do a TCP dump on the vbond. We see the src IP and dst IP of the packet natted correctly. However it seems the destination port number is changed from 12346 to 12348, not sure why that is happening.

 

11:52:25.640336 IP 102.164.141.212.12346 > 172.16.11.11.12348: UDP, length 165

11:52:25.711363 IP 102.164.141.212.12546 > 172.16.11.11.12348: UDP, length 165

11:52:25.813766 IP 102.164.141.212.12646 > 172.16.11.11.12348: UDP, length 165

11:52:25.813885 IP 102.164.141.212.12846 > 172.16.11.11.12348: UDP, length 165

11:52:25.845670 IP 102.164.141.212.12746 > 172.16.11.11.12348: UDP, length 165

11:52:25.916124 IP 102.164.141.212.13046 > 172.16.11.11.12348: UDP, length 165

11:52:26.008868 IP 102.164.141.212.12446 > 172.16.11.11.12348: UDP, length 165

 

What do you think are the probable causes preventing the connection between the vBond and the vManage?

0 Helpful

Go to solution
EminaBrkanic
Level 1
Level 1

‎04-01-2025 12:42 PM

did you add allow-service all on vbond interface? 

0 Helpful
Customers Also Viewed These Support Documents