Re: Transport to Service Outside NAT with DIA

Sergii Lyubokhinetz · ‎02-25-2025

I have a branch with 2 Routers and 2 ISP. I need to forward port 443 from external IPs (1.1.1.1 and 2.2.2.2) to internal Server 10.0.0.10. Internal Server (10.0.0.10) is in Service VPN 10 and have direct internet access with DIA (NAT route to 0.0.0.0 vpn 0)

Inside NAT works fine from R1 (ISP1) but fails from R2(ISP2) because the Server forwards traffic to R1. The workaround could be to nat outside global (external client IP) to some Outside local on R2 (smth like: ip nat outside source static 1.1.1.2 10.2.0.3). I have done it in the lab without sdwan and VRF and it works, but can't reproduce it in sdwan.

How to make ip nat outside in DIA scenario?

Jeongjun Park · ‎02-25-2025

Is it possible to you to create Inter-link for SD-WAN Router ? (Especially TLOC-Extension)

Sergii Lyubokhinetz · ‎02-25-2025

Yes, there actually is a link between them and Tloc extension (for now its one way from R1 to R2)

rais · ‎02-25-2025

All HTTPs traffic coming in from R2 could be source-NATed to R2's public address with route added on Server for that public address.

HTH.

Sergii Lyubokhinetz · ‎02-25-2025

I can't do anything from the server side, so the server will always answer to the primary router. So the main idea is to manipulate a source of incoming packets, to force the server to send replies back to the second router (or to some network inside the secondary router via a static router on the primary).

rais · ‎02-25-2025

Should the server honor icmp redirect from R1, it would install a route to R2 itself.

Sergii Lyubokhinetz · ‎02-26-2025

It could work, but I still need to NAT the client`s IP and add the route to that IP from R1 to R2, then check for ICMP redirect. Without NAT, client will connect from its public IP to both routers and I don't know which one the server needs to reply to.