cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6395
Views
40
Helpful
12
Replies

VEdge behind NAT

biran
Level 1
Level 1

Hi All , 

 

I have already built a test lab. Tunnel are up , control connection connection , Everything is okay.

But I add a NAT router to test VEdge behind NAT. All tunnels are down.

Is there any special configurations for that ?

 

By the way , I used PAT.

 

Best Regards,

Biran

2 Accepted Solutions

Accepted Solutions

No, except the color. Which color do you use?

View solution in original post

elesani
Cisco Employee
Cisco Employee

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

View solution in original post

12 Replies 12

ekhabaro
Cisco Employee
Cisco Employee
How do you reach your vBond server? Is it also via NAT router? If not, then vBond won't be able to determine public address of vEdge and hence you won't be able to establish connectivity. Also it's good to know your NAT router config.

Well, VEdge can able to reach via NAT (1 to 1 ) to Vbond and I checked control connections are up. But all data plane BFDs are down. 

 

Any stun Service need to be allowed and configured? 

 

No, except the color. Which color do you use?

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

my vbond is in DMZ zone. Vsmart and Vmanage in Inside zone. i have hybrid scenario.  kindly help me to config NAT in Cisco ASA to communicate controllers via public ip address.

 

Regards,

Dip

elesani
Cisco Employee
Cisco Employee

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

True, It's because of private2 color I used . Once I changed to Biz-Internet , all come up . 

How can i check Public and Private address that maps in Vbond ? Any CLI to verify? 

 

elesani
Cisco Employee
Cisco Employee

Well, vBond controller doesn’t have transport interface by all means. Color is characteristic of a transport interface only. As a result, you don’t have color as a parameter on vBond controller.

Havind said that, vManage and vSmart controllers come with transport interface both, still you should not / can’t define color for these transport interfaces either!

 

Regards,

Ehsan

I know of course we should not set Color in controller . My question was in Vbond How can I verify the private address of vedges that is exist behind NAT? As far as I know Vbond is the one that distribute the Natted IP address to other vedges right? So i think there should be a way to verify or see NAT addresses in Vbond. 

 

elesani
Cisco Employee
Cisco Employee

I see your point now. As you may know, control connection from Edge router to vBond will be up while the control connections to vManage and vSmart controllers are about to establish and it will be closed after that. Anyway, you can collect info using below CLI:

 

- show orchestrator connections <<<< shows you current control connections that are established with the current vBond controller

 

- show orchestrator connections-history <<< this shows the history of whatever has hit the vBond controller. 

 

above command should be the one that you are after. it has a column for "PEER PRIVATE IP" and another one for "PEER PUBLIC IP" and gives you the mapping that you are after. 

 

you should achieve the same through vManage and vSmart controllers too. And if you are keen to CLI command on these controllers:

 

- show control connections-history 

 

Hope that helps.

 

Regards,

Ehsan

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: