How does SD-WAN NAT work?

Updated 12/20/2018 5:01:01 AM by Comcast Expert
Email

Introduction

Network Address Translation (NAT) is a common routing function that maps private IP space behind a single Public IP address. A router accomplishes this by rewriting the source or destination IP address in the IP header on each packet. ActiveCore’s implementation of NAT allows users to create two types of rules, Source NAT and Destination NAT. Source NAT rules rewrite the source IP address in the IP header and destination NAT rules rewrite the destination IP address.

When creating destination NAT rules, the firewall often needs to be updated with an additional rule to allow inbound Internet traffic to initiate a session with a server inside the LAN behind the firewall.

There are three common types of NAT configurations: port forwarding, 1:1 and 1:Many. Examples of each are included below.
 

Port forwarding

Destination NAT rules are used for port forwarding. In this example, a user is creating a NAT rule that allows traffic from the Internet (untrusted zone) to initiate a session with a server inside the LAN. The example rule will Forward all incoming traffic with a destination port number of 23 to a server on the network addressed 192.168.10.10.

What does it look like?


ActiveCore configuration




If using the Normal firewall profile, an additional firewall rule needs to be created to allow the traffic to pass from the Internet into the LAN. Below is an example of the firewall rule needed to support this destination NAT policy.  


 

1:1 NAT rules

A 1:1 NAT rule is also a destination NAT rule, since the SD-WAN service is going to rewrite the destination IP address as a private IP address to a server inside the LAN.

In this example, the NAT rule will send all traffic that has a destination IP address of 23.45.67.12 to a server on the LAN addressed as 192.168.10.11.

What does it look like?


ActiveCore configuration

 



Similar to a destination NAT policy for port forwarding, a firewall rule is needed to allow traffic to pass into the LAN. Below is an example that aligns to the NAT policy created.


 

1:Many source NAT rule

1:Many rules require a source NAT rule to be created. This type of rule is used to enable many clients on the LAN side with private IP space to communicate behind a single public IP address. In this example, a site is currently using the Public IP address assigned to the WAN interface of the uCPE. To expand the number of sessions the LAN can support, a second Pubic IP is added by creating a source NAT rule.

What does it look like?


ActiveCore configuration





 

Was This Article Helpful?

Rate this article on a scale of 1-5

Didn't find what you're looking for?

Related Articles

» More about ActiveCore℠