Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1686
Views
0
Helpful
4
Replies

VManage dehind a NAT

LukeDel
Level 1
Level 1

‎08-25-2023 11:14 PM

We are setting up a SDWAN with the controllers on prem. We would like to put the vSmart and vManage behind a NAT (not 1:1) using a ISP wan connection (not mpls). The vBond will be placed outside the NAT with a public IP. I know the vBond can act as a STUN server to vEdge devices dehind a NAT. If the color of the VPN0 interface on the vManage server is private will devices oitside the NAT be ableto connect to it. I've read docs that say you need a 1:1 NAT, but I've also read posts that say it should work. I'm hoping as you set the color to private, vbond sends the private and public IP of vManage to the cedge devices and they connect to the vManage using STUN to get around the NAT. Is this the case?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-26-2023 01:02 AM

There are Limitation if you do not have 1:1 NAT - (that mean Cisco have tested and provided the use case to use customer)

below presentation help you when you building on prem SD-WAN design consideration.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKRST-2559.pdf

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKCRS-2117.pdf

but I've also read posts that say it should work

This case not that i am aware that worked for me when we are testing. again that is my view (talk to partner and ask any latest version 20.X onwards fixed any features ?)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

LukeDel
Level 1
Level 1
In response to balaji.bandi

‎08-26-2023 01:45 AM

Thanks for the reply.

I've read those presentations.

I guess it isn't going to work then and we need a 1:1 NAT.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to LukeDel

‎08-26-2023 02:18 AM

yes that is feasible solution or go for cisco cloud solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Kanan Huseynli
VIP
VIP

‎08-28-2023 10:29 AM

Stun is relevant for vedge to vedge communication.

In your case, vmanage is also behind firewall and vedge should initiate connection to vmanage. Thus, there should be support for this external traffic on NAT device which does NAT for vmanage.

Taking into account that normal NAT devices do port-restricted cone (i.e PAT) or symmetric (i.e PAT with port randomization) then nobody can initial request towards vmanage.

That's why you need full-cone (i.e 1:1) NAT for controllers

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Related community topics
Customers Also Viewed These Support Documents
Top