Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
3
Replies

SDWAN NAT from Tunnel

Learning101
Level 1
Level 1

‎10-08-2025 01:45 PM

Hi, 

Need some help regarding the NAT translation in SD WAN environment.

I have created simple topology in my lab and it does not seem to work.

nat_topology.PNG

I want all the traffic from tunnel side on router cEdge-1 that has a src 10.0.0.0/8 and dst 192.168.1.0/24 to be their src IPv4 translated into IPv4 address 10.10.10.1. This address is on router cEdge-1 interface G1.

I have partially achieved that, but i'm having issues with returning traffic from service side on cEdge-1.

EXAMPLE

R2 ping:

 

Sending 1000, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.6.9.6 
...............

cEDGE-1 nat rules : 

 

 

ip nat pool natpool15 10.10.10.1 10.10.10.6 prefix-length 29
ip nat outside source list global-list pool natpool15 vrf 696 match-in-vrf overload

Traffic Data policy cEdge-1:

 

 

from-vsmart data-policy _696_cEdge-1
 direction from-tunnel
 vpn-list 696
  sequence 1
   match
    source-ip      10.0.0.0/8
    destination-ip 192.168.1.0/24
   action accept
    count nat_src_861100929
    nat pool 15
  default-action accept
from-vsmart lists vpn-list 696
 vpn 696

 

IP NAT Translations cEdge-1:

 

Pro  Inside global         Inside local          Outside local         Outside global
icmp 192.168.1.1:176       192.168.1.1:176       10.10.10.1:176        10.6.9.6:176

I can see that the translation has been done, and I can also see the traffic is returning on cEdge-1 G1 interface.

Packet capture on cEdge-1 G1 interface

 

traffic_G1.PNG

10.6.9.6 has been translated to 10.10.10.1 and sent to 192.168.1.1, and traffic is also returning from 192.168.1.1 to 10.10.10.1.

BUT traffic does not reach cEdge-2 router, I do not see any packets coming from cEdge-1 on cEdge-2 if i do packet capture.

Have in mind that if I remove NAT and put default route on R1 that points to cEdge-1 G1 interface, I can ping 192.168.1.1 from R2 , so it does not seem to be routing issue.

I presume there has to be something with the data traffic policy for direction from service ?

Thank you for your help

Best Regards

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

fniccola
Cisco Employee
Cisco Employee

‎10-10-2025 02:56 PM

ciao!

can you post also the configuration of transport and service interfaces?

I'll test this solution in my LAB

 

TKK

FabioN

0 Helpful

Learning101
Level 1
Level 1
In response to fniccola

‎10-12-2025 01:33 PM

Hi, 

cEdge-1

Transport : 

interface GigabitEthernet0/0/0
 ip address XYZ
 no ip redirects
 load-interval 30
 negotiation auto
 arp timeout 1200
 service-policy output shape_GigabitEthernet0/0/0

Service : 

interface GigabitEthernet0/0/1
 description LAN
 vrf forwarding 696
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip nbar protocol-discovery
 load-interval 30
 negotiation auto
 arp timeout 1200

cEdge-2

Transport 

interface GigabitEthernet0/0/0
 description INET
 no ip address
 speed 1000
 no negotiation auto
 channel-group 20 mode active

Service 

interface Port-channel10.696
 description LAN-696
 encapsulation dot1Q 696
 vrf forwarding 696
 ip address XYZ

 

0 Helpful

fniccola
Cisco Employee
Cisco Employee

‎10-14-2025 02:48 PM

ciao!

I tested the configuration in my LAB, the behavior is perfectly the same as in your LAB.

- I can see the translation on edge1, but I cant ping from 10.6.9.6 to 192.168.1.1 (10.6.9.6 is correctly translated to 10.10.10.1)

Site1-cEdge01#show ip nat translations

Pro  Inside global         Inside local          Outside local         Outside global

icmp 192.168.1.1:18        192.168.1.1:18        10.10.10.1:18         10.6.9.6:18

- a possible solution is to use a NAT pool that start from 10.10.10.3 to what ever you want (tested work correctly)... In this case you will able to ping from 10.6.9.6 to 192.168.1.1 (10.6.9.6 is correctly translated to 10.10.10.3)

 

below my configuration:

on edge1

ip nat pool natpool1 10.10.10.3 10.10.10.254 prefix-length 24

ip nat outside source list global-list pool natpool1 vrf 1 match-in-vrf

on vsmart

policy

data-policy _VPN_1_NAT_test

  vpn-list VPN_1

   sequence 1

    match

     source-data-prefix-list      Source

     destination-data-prefix-list Dest

    !

    action accept

     nat pool 1

    !

   !

   default-action accept

  !

!

lists

  vpn-list VPN_1

   vpn 1

  !

  data-prefix-list Dest

   ip-prefix 192.168.1.1/32

  !

  data-prefix-list Source

   ip-prefix 10.0.0.0/8

  !

  site-list 1001

   site-id 1001

  !

!

!

apply-policy

site-list 1001

  data-policy _VPN_1_NAT_test from-tunnel

0 Helpful
Customers Also Viewed These Support Documents