Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Versa NAT TYPE

    Încărcat de

    bike9915
    630 vizualizări47 pagini
    Basic NAT provides a one-to-one network address translation for internal IP addresses to map to external or public IP addresses. With basic NAT, internal servers can communicate to external networks like the Internet while maintaining security and privacy of internal IP addresses. The internal source IP address is translated to a public IP address assigned to the NAT pool on outbound traffic. Responses to outbound sessions have the source and destination IP addresses and ports translated back on inbound traffic.

    Descriere originală:

    SDWAN Versa

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PPTX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Basic NAT provides a one-to-one network address translation for internal IP addresses to map to external or public IP addresses. With basic NAT, internal servers can communicate to external networks like the Internet while maintaining security and privacy of internal IP addresses. The internal source IP address is translated to a public IP address assigned to the NAT pool on outbound traffic. Responses to outbound sessions have the source and destination IP addresses and ports translated back on inbound traffic.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPTX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    630 vizualizări47 pagini

    Versa NAT TYPE

    Încărcat de

    bike9915
    Basic NAT provides a one-to-one network address translation for internal IP addresses to map to external or public IP addresses. With basic NAT, internal servers can communicate to external networks like the Internet while maintaining security and privacy of internal IP addresses. The internal source IP address is translated to a public IP address assigned to the NAT pool on outbound traffic. Responses to outbound sessions have the source and destination IP addresses and ports translated back on inbound traffic.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPTX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 47

    Versa Supported NAT TYPES

    Parbhat Kapoor
    parbhat@versa-networks.com
    In this deck following NAT Types are presented in listed order:

    1. Basic NAT
    2. Destination NAT
    3. Dynamic NAT
    4. NAPT44 (PAT)
    5. Twice-basic-nat-44
    6. Twice-dynamic-nat-44
    7. Twice-napt-44
    Before we touch base on different NAT types, lets list down what each field in CGNAT Pool/Rule means:

    CGNAT NAT Pool General Tab:


     Description, Tags and Timeout are optional attributes
     Do not provide any timeout value if requirement is to use default session timeouts. Do not provide any timeout value
    if requirement is to use default session timeouts. However, In the event timeout configurations deem necessary, please
    add them here on a per CGNAT pool base. When a session matches the NAT pool, it will apply the timeout values for
    each protocol.

     Description: Provides brief explanation of the CGNAT pool and it purpose


     Tags: Tags act as a filter in the configurations
    CGNAT Pool IP Address Tab:
     IP Address tab provides 3 options to choose from:
    1) IP Address/Range
    2) Egress Network
    3) Egress Interface

     IP Address/Range Usage: Values given this field mostly depended on NAT Type implementation
    Example:
    o If Nat Type is Destination NAT: You will be providing Internal IP address of the Host
    o If Nat Type is Basic/Dynamic NAT: You will be providing Public IP/Pool which get used for translation for Internal Lan Network

     Egress Network Usage: Most commonly this option is used when Nat Type is: NAPT [Port based translation]

     Address Allocation Scheme: “Round Robin” is the only available allocation scheme as of now

     Routing Instance: Again this field mostly depended on NAT Type implementation
    Example:
    o If Nat Type is Destination NAT: You will be choosing LAN-VR
    o If Nat Type is Basic/Dynamic NAT: You will be choosing Transport-VR
    CGNAT Pool Port Tab:
     Port tab provides various options in order to provide Port Forwarding abilities:
     Destination Port
     Source Port

    Following NAT Types do not support Port Forwarding and hence please skip this tab :
     Basic NAT
     Dynamic NAT

    Destination NAT: Uses “Destination Port” on which the server is actually listening

    NAPT: Uses Source Port and its related fields


     PBA: Port block allocation ensures that when a subscriber requires a port to be assigned for the first time,
    a block of ports are allocated to the particular user
     Preserve SRC Port Parity: Allocate ports with same parity as the original port
     Preserve SRC Port Range: Preserve privileged Port range after translation
     Allocate IP/port randomly: Allocate IP/Port randomly from the range
    CGNAT NAT Rule General Tab:
     Description: Provides brief explanation of the CGNAT Rule and it purpose
     Tags: Tags act as a filter in the configurations
     Precedence: (Value range 0 – 255) Precedence value provides priority to rules. If two identical rules are present in the
    configurations, rule with higher precedence value is matched first. It acts as a sequence number - higher
    the number, more preferred to match against.
     Paired Site: Only enable if sites are deployed as Active-Active HA pair
    CGNAT Rule Match Tab:
     Match tab: You can specify both Source/Destination together or can just either of it depending on the NAT TYPE

    Example:

     Basic NAT: Source have to be Internal IP Space which will get nat with its associated CGNAT Pool
    Destination: Can be left blank or you can provide list of destination this Rule will be applied for

     Dynamic NAT: Same as Basic NAT. Source zones/IP Address/Range either of the option have to be present
    Destination: Can be left blank

     Destination NAT: Source field can be left blank


    Destination: Need to provide the public IP of the internal server accessible from outside
    CGNAT Rule Action Tab:
     Disable Translation: By default RFC_1918_NoTranslate rule is enabled with this option
     NAT Mode: Type of NAT modes supported by Versa except MAPT
     Source/Destination pool: Choice will depend on what kind of NAT mode is selected in above field
     LEF Profile: If you want Analytics to provide the log
    NAT TYPE 1: Basic NAT
    Basic NAT: One to One Nat

    Internal IP Public IP/FQDN

    172.16.121.9 172.16.20.135

    Patch Updates?
    Data Center

    Web Server
    172.16.121.9 Internet Patch Updates?
    WAN Patch Updates?
    Patch Updates?
    Patch updates? Patch Updates?

    Windows Server Patch updates

    Usage in Production: Internal Server want to communicate over Internet. Patch updates etc
    Versa Basic Nat also automatically create Bi-Directional NAT entry.
    Step 1: Configure NAT pool

    In NAT Pool we will define Public IP Address to which Internal Server IP Address will get NATed.

    Public IP allocated to Internal


    Server

    No need to choose DST/SRC


    Ports in Basic NAT
    Step 2: Configure NAT Rule

    Provide Private IP Address of the server and associate CGNAT pool with it

    Internal Server Private IP


    Address
    Verification-Outbound Session:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 514 172.16.121.9 8.8.8.8 55107 53 17 Yes No dns 172.16.20.135 8.8.8.8 55107 53
    0 2 522 172.16.121.9 23.220.168.116 57961 443 6 Yes No akamai 172.16.20.135 23.220.168.116 57961 443
    0 2 523 172.16.121.9 23.220.168.116 57962 443 6 Yes No akamai 172.16.20.135 23.220.168.116 57962 443
    0 2 169 172.16.121.9 184.51.49.106 57712 443 6 Yes No http2 172.16.20.135 184.51.49.106 57712 443
    0 2 358 172.16.121.9 8.8.8.8 52404 53 17 Yes No dns 172.16.20.135 8.8.8.8 52404 53
    0 2 401 172.16.121.9 184.51.49.106 57871 443 6 Yes No http2 172.16.20.135 184.51.49.106 57871 443
    0 2 515 172.16.121.9 40.90.23.209 57955 443 6 Yes No windowslive 172.16.20.135 40.90.23.209 57955 443

    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>
    Verification-Inbound Session:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    % No such element exists.
    [ok][2019-07-12 08:06:30]

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 13458 10.40.146.204 172.16.20.135 30498 30498 1 Yes No icmp 10.40.146.204 172.16.121.9 30498 30498

    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>

     Versa Basic Nat also automatically create Bi-Directional NAT.


     Even though there was no prior NAT session from Inside to Outside, Internet user was able to reach Internal user 172.16.121.9 by referring its static Public IP: 172.16.20.135
     Hence Basic NAT also provide automatic Inbound NAT session
    NAT TYPE 2: Destination NAT
    Destination NAT

    Internal IP Public IP/FQDN

    172.16.121.9 172.16.20.121/cnbc.com www.cnbc.com

    Data Center

    www.cnbc.com www.cnbc.com
    Internet
    WAN
    www.cnbc.com www.cnbc.com
    Web Server
    172.16.121.9

    Use Case: When you want your WebServer to be accessible from Public Cloud/Internet
    Step 1: Configure NAT pool

    In Destination NAT CGNAT POOL actually refers to an untranslated IP host/network addresses. In most cases these IP Addresses are Private. These are hosts/servers which sits inside
    the network and which will be accessed Publicly by using the Public reachable IP Address.

    Untranslated IP. Actual host


    sit inside the network

    Actual Port on which Server is


    listening on
    Step 2: Configure NAT Rule

    Configure Public IP of Server in “Destination”. Port provided here can be different than what an internal server is actually listening on. FlexVNF will take care of port forwarding as well.

    Public IP where Internal


    Server is reached
    Verification:

    Remote user with an IP 10.40.146.204 is using http://172.16.20.121:8080 and FlexVNF will translate this url into http://172.16.121.9 (port 80)

    admin@Spoke1-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 6474 10.40.146.204 172.16.20.121 51767 8080 6 Yes No http 10.40.146.204 172.16.121.9 51767 80

    [ok][2019-07-05 12:34:30]
    admin@Spoke1-Twitter-cli>

    Internet User Use this url Internal Admin can use this url
    NAT TYPE 3: Dynamic NAT
    Dynamic NAT

    Internal IP Public IP/FQDN disney.com

    172.16.120.9 172.16.20.137

    172.16.120.10 172.16.20.136

    Remote Site disney.com

    disney.com
    disney.com
    Internet
    WAN disney.com
    disney.com cnn.com
    disney.com cnn.com
    disney.com cnn.com cnn.com
    cnn.com
    cnn.com
    cnn.com cnn.com

    Use Case: Internal LAN network get temporary NAT via Public IP Pool
     Please note: Versa Dynamic NAT is not Bi-Directional in nature
    Step 1: Configure NAT pool

    Please provide Public IP pool information in Range field or you can also provide IP Address with Mask information. Internal LAN subnet will dynamically get NAT’ed from this Pool.
    Step 2: Configure NAT Rule

    Provide Private IP Address of the internal LAN hosts/Subnet and associate it with respective CGNAT pool

    LAN Network Pool


    Verification:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 3503 172.16.120.9 23.53.254.57 61937 443 6 Yes No disney_channel 172.16.20.137 23.53.254.57 61937 443
    0 2 3504 172.16.120.9 23.53.254.57 61938 443 6 Yes No disney_channel 172.16.20.137 23.53.254.57 61938 443
    0 2 3469 172.16.120.10 173.223.60.182 61900 443 6 Yes No cnn 172.16.20.136 173.223.60.182 61900 443
    0 2 3470 172.16.120.10 173.223.60.182 61901 443 6 Yes No cnn 172.16.20.136 173.223.60.182 61901 443

    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>
    NAT TYPE 4: NAPT44
    Step 1: Configure NAT pool for Source IP Translation
    Step 2: Configure NAT Rule

    Provide Private IP Address of the server and associate CGNAT pool with it
    CGNAT Show commands

    admin@ Hilton3 -cli> show orgs org Hilton sessions nat brief
    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 59 172.16.139.50 8.8.8.8 1024 1024 6 Yes No - 172.16.20.172 8.8.8.8 11860 1024
    0 2 62 172.16.139.51 8.8.8.8 1024 1024 6 Yes No - 172.16.20.172 8.8.8.8 35396 1024
    0 2 63 172.16.139.52 8.8.8.8 1024 1024 6 Yes No - 172.16.20.172 8.8.8.8 17491 1024
    NAT TYPE 5: TWICE-Basic-NAT-44
    Twice Basic NAT 44

    Google DNS Server: 8.8.8.8

    Source IP Destination IP Translated Src IP Translated Dst IP

    172.16.120.9 8.8.8.8 172.16.20.135 10.40.146.233

    Remote Site1
    Headquarter
    Web Server
    172.16.120.9 Internet
    WAN
    DNS 172.16.20.135 10.40.146.233 DNS 172.16.20.135 10.40.146.233
    DNS 172.16.120.9 8.8.8.8 WAN
    DNS 172.16.20.135 10.40.146.233
    Corporate DNS Server: 10.40.146.233
    DNS 172.16.20.135 10.40.146.233

    Use Case: Internal host is still configured to use Google’s DNS servers, but their traffic is automatically being redirected to the corporate DNS servers
    Step 1: Configure NAT pool for Source IP Translation

    Please provide Public IP address with which Internal web server will get NATed.
    Step 2: Configure NAT pool for Destination IP Translation

    Please provide Public IP address of the destination host.


    Step 3: Configure NAT Rule

    Please provide Source(Internal host IP) and Destination IP(Destination IP which Internal Host is actually using) Address information. Choose “twice-basic-nat-44” option and select respective src/dst
    pools
    Verification-Outbound Session:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 41161 172.16.120.9 8.8.8.8 1 1 1 Yes No icmp 172.16.20.135 10.40.146.233 1 1
    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>
    NAT TYPE 6: TWICE-Dynamic-NAT-44
    Twice Dynamic NAT 44

    Google DNS Server: 8.8.8.8

    Source IP Destination IP Translated Src IP Translated Dst IP

    172.16.120.9 8.8.8.8 172.16.20.135 10.40.146.233

    172.16.120.10 8.8.8.8 172.16.20.136 10.40.146.233


    Remote Site1
    Headquarter
    Internet
    WAN
    DNS 172.16.20.135 10.40.146.233 DNS 172.16.20.135 10.40.146.233
    DNS 172.16.120.9 8.8.8.8 WAN
    DNS 172.16.20.136 10.40.146.233 DNS 172.16.20.136 10.40.146.233
    172.16.120.9
    DNS 172.16.20.135 10.40.146.233
    DNS 172.16.120.9 8.8.8.8 DNS 172.16.120.10 8.8.8.8
    Corporate DNS Server: 10.40.146.233
    DNS 172.16.20.136 10.40.146.233
    DNS 172.16.20.135 10.40.146.233
    DNS 172.16.20.136 10.40.146.233

    172.16.120.10
    DNS 172.16.120.10 8.8.8.8

    Use Case: Internal hosts pool is still configured to use Google’s DNS servers, but their traffic is automatically being redirected to the corporate DNS servers

     Please note: Versa Dynamic NAT 44 is not Bi-Directional in nature


    Step 1: Configure NAT pool for Source IP Translation

    Please provide Public IP pool information in Range field or you can also provide IP Address with Mask information. Internal LAN subnet/Source field of IP Packet will dynamically get
    NAT’ed from this Pool.
    Step 2: Configure NAT pool for Destination IP Translation

    Please provide Public IP address of the destination host.


    Step 3: Configure NAT Rule

    Please provide Source and Destination IP Address information. Choose “twice-dynamic-nat-44” option and select respective src/dst pools
    Verification-Outbound Session:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 47733 172.16.120.9 8.8.8.8 1 1 1 Yes No icmp 172.16.20.135 10.40.146.233 1 1
    0 2 47732 172.16.120.10 8.8.8.8 1 1 1 Yes No icmp 172.16.20.136 10.40.146.233 1 1

    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>
    NAT TYPE 7: TWICE-NAPT-44
    Twice NAPT 44

    Google DNS Server: 8.8.8.8

    Source IP Destination IP Translated Src IP Translated Dst IP

    172.16.120.9 8.8.8.8 172.16.20.135 10.40.146.233

    Remote Site1
    Headquarter
    Internet
    WAN
    DNS 172.16.20.135 10.40.146.233 DNS 172.16.20.135 10.40.146.233
    DNS 172.16.120.9 8.8.8.8 WAN
    172.16.120.9
    DNS 172.16.20.135 10.40.146.233
    DNS 172.16.120.9 8.8.8.8 Corporate DNS Server: 10.40.146.233
    DNS 172.16.20.135 10.40.146.233

    Use Case: Internal host is still configured to use Google’s DNS servers, but their traffic is automatically being redirected to the corporate DNS servers

     Please note: Versa Twice NAPT 44 is not Bi-Directional in nature


    Step 1: Configure NAT pool for Source IP Translation
    Step 2: Configure NAT pool for Destination IP Translation
    Step 3: Configure NAT Rule
    Verification-Outbound Session:

    admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief


    NAT NAT NAT
    VSN VSN SESS DESTINATION SOURCE DESTINATION NAT SOURCE DESTINATION SOURCE DESTINATION
    ID VID ID SOURCE IP IP PORT PORT PROTOCOL NATTED SDWAN APPLICATION IP IP PORT PORT
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    0 2 15478 172.16.120.9 8.8.8.8 1 1 1 Yes No icmp 172.16.20.135 10.40.146.233 51428 51428

    [ok][2019-07-05 12:34:30]
    admin@Hub-Twitter-cli>
    Thank You

    S-ar putea să vă placă și