cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

3420
Views
40
Helpful
12
Replies
Highlighted
Beginner

VEdge behind NAT

Hi All , 

 

I have already built a test lab. Tunnel are up , control connection connection , Everything is okay.

But I add a NAT router to test VEdge behind NAT. All tunnels are down.

Is there any special configurations for that ?

 

By the way , I used PAT.

 

Best Regards,

Biran

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

No, except the color. Which color do you use?

View solution in original post

Highlighted
Cisco Employee

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

View solution in original post

12 REPLIES 12
Highlighted
Cisco Employee

How do you reach your vBond server? Is it also via NAT router? If not, then vBond won't be able to determine public address of vEdge and hence you won't be able to establish connectivity. Also it's good to know your NAT router config.
Highlighted

Well, VEdge can able to reach via NAT (1 to 1 ) to Vbond and I checked control connections are up. But all data plane BFDs are down. 

 

Any stun Service need to be allowed and configured? 

 

Highlighted

No, except the color. Which color do you use?

View solution in original post

Highlighted

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

Highlighted

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

Highlighted

my vbond is in DMZ zone. Vsmart and Vmanage in Inside zone. i have hybrid scenario.  kindly help me to config NAT in Cisco ASA to communicate controllers via public ip address.

 

Regards,

Dip

Highlighted
Cisco Employee

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

View solution in original post

Highlighted

True, It's because of private2 color I used . Once I changed to Biz-Internet , all come up . 

Highlighted

How can i check Public and Private address that maps in Vbond ? Any CLI to verify? 

 

Highlighted

Well, vBond controller doesn’t have transport interface by all means. Color is characteristic of a transport interface only. As a result, you don’t have color as a parameter on vBond controller.

Havind said that, vManage and vSmart controllers come with transport interface both, still you should not / can’t define color for these transport interfaces either!

 

Regards,

Ehsan

Highlighted

I know of course we should not set Color in controller . My question was in Vbond How can I verify the private address of vedges that is exist behind NAT? As far as I know Vbond is the one that distribute the Natted IP address to other vedges right? So i think there should be a way to verify or see NAT addresses in Vbond. 

 

Highlighted

I see your point now. As you may know, control connection from Edge router to vBond will be up while the control connections to vManage and vSmart controllers are about to establish and it will be closed after that. Anyway, you can collect info using below CLI:

 

- show orchestrator connections <<<< shows you current control connections that are established with the current vBond controller

 

- show orchestrator connections-history <<< this shows the history of whatever has hit the vBond controller. 

 

above command should be the one that you are after. it has a column for "PEER PRIVATE IP" and another one for "PEER PUBLIC IP" and gives you the mapping that you are after. 

 

you should achieve the same through vManage and vSmart controllers too. And if you are keen to CLI command on these controllers:

 

- show control connections-history 

 

Hope that helps.

 

Regards,

Ehsan

 

Content for Community-Ad