cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

950
Views
5
Helpful
11
Replies
Beginner

VEdge behind NAT

Hi All , 

 

I have already built a test lab. Tunnel are up , control connection connection , Everything is okay.

But I add a NAT router to test VEdge behind NAT. All tunnels are down.

Is there any special configurations for that ?

 

By the way , I used PAT.

 

Best Regards,

Biran

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: VEdge behind NAT

No, except the color. Which color do you use?

View solution in original post

Cisco Employee

Re: VEdge behind NAT

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

View solution in original post

11 REPLIES 11
Cisco Employee

Re: VEdge behind NAT

How do you reach your vBond server? Is it also via NAT router? If not, then vBond won't be able to determine public address of vEdge and hence you won't be able to establish connectivity. Also it's good to know your NAT router config.
Beginner

Re: VEdge behind NAT

Well, VEdge can able to reach via NAT (1 to 1 ) to Vbond and I checked control connections are up. But all data plane BFDs are down. 

 

Any stun Service need to be allowed and configured? 

 

Everyone's tags (1)
Cisco Employee

Re: VEdge behind NAT

No, except the color. Which color do you use?

View solution in original post

Beginner

Re: VEdge behind NAT

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

Beginner

Re: VEdge behind NAT

I used Private 2 . Once I changed it to Biz-internet , all come up.

 

Thanks.

Everyone's tags (1)
Cisco Employee

Re: VEdge behind NAT

Hi Biran,

 

What you are experiencing can be related to the type of color you have used for the transport interface. 

Cisco SD-WAN uses two types of colors: Public & Private. A quick recap between these two types is: Private colors can't sit behind a NAT router! while Public colors can. 

The colors metro-ethernet, mpls, and private1 through private6 are private colors. if you are using any of these, you can't put that interface behind the NAT.

 

Please refer to below link for details:

 

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Configuration_Commands/color 

 

Regards,

Ehsan

View solution in original post

Beginner

Re: VEdge behind NAT

True, It's because of private2 color I used . Once I changed to Biz-Internet , all come up . 

Everyone's tags (1)
Highlighted
Beginner

Re: VEdge behind NAT

How can i check Public and Private address that maps in Vbond ? Any CLI to verify? 

 

Cisco Employee

Re: VEdge behind NAT

Well, vBond controller doesn’t have transport interface by all means. Color is characteristic of a transport interface only. As a result, you don’t have color as a parameter on vBond controller.

Havind said that, vManage and vSmart controllers come with transport interface both, still you should not / can’t define color for these transport interfaces either!

 

Regards,

Ehsan

Beginner

Re: VEdge behind NAT

I know of course we should not set Color in controller . My question was in Vbond How can I verify the private address of vedges that is exist behind NAT? As far as I know Vbond is the one that distribute the Natted IP address to other vedges right? So i think there should be a way to verify or see NAT addresses in Vbond. 

 

Everyone's tags (1)
Cisco Employee

Re: VEdge behind NAT

I see your point now. As you may know, control connection from Edge router to vBond will be up while the control connections to vManage and vSmart controllers are about to establish and it will be closed after that. Anyway, you can collect info using below CLI:

 

- show orchestrator connections <<<< shows you current control connections that are established with the current vBond controller

 

- show orchestrator connections-history <<< this shows the history of whatever has hit the vBond controller. 

 

above command should be the one that you are after. it has a column for "PEER PRIVATE IP" and another one for "PEER PUBLIC IP" and gives you the mapping that you are after. 

 

you should achieve the same through vManage and vSmart controllers too. And if you are keen to CLI command on these controllers:

 

- show control connections-history 

 

Hope that helps.

 

Regards,

Ehsan

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards