Source nat
salman210
Member ✭
We are setting up source NAT and the idea was to use the ve IP addresses for the associated vlan as the source NAT address in the pool.
I swear we had it setup like this in version 2.7.2P6. but since the upgrade it says we can not use the ve interface IP address as the source nat address in a pool.
Is there anyway of using the interface address as the source NAT now? Just trying to keep the number of IP addresses used down.
0
Comments
Hello -
This should be possible with "Smart NAT" which will use the interface IP or VRRP Floating IP. Per admin guide:
Smart NAT provides source NAT for virtual ports. The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A high availability is enabled and floating-IP addresses are configured:
• With VRRP-A high availability – If VRRP-A high availability is configured, Smart NAT uses configured floating IP addresses as NAT addresses.
• Without VRRP-A high availability – If VRRP-A high availability is not configured, then Smart NAT uses IP address(es) on the ACOS interface connected to the real server.
The configuration is applied to the VPORT with "source nat auto" command.
Mike
my configuration is as below, kindly let me know what i am missing.
!
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
access-list 111 permit ip 192.168.0.0 0.0.255.255 any
!
interface ethernet 2
name "ISP 1"
enable
ip address 100.100.101.1 255.255.255.224
ip nat outside
exit-module
!
interface ethernet 3
name "ISP 2"
enable
ip address 100.100.102.1 255.255.255.224
ip nat outside
exit-module
!
interface ethernet 4
name "ISP 3"
enable
ip address 100.100.103.1 255.255.255.224
ip nat outside
exit-module
!
!
ip nat pool SNAT_ISP1 100.100.101.2 100.100.101.2 netmask /29 gateway 100.100.100.254
!
ip nat pool SNAT_ISP2 100.100.102.2 100.100.102.2 netmask /29 gateway 100.100.100.253
!
ip nat pool SNAT_ISP3 100.100.103.2 100.100.103.2 netmask /29 gateway 100.100.100.252
!
ip nat pool-group LLB2
member SNAT_ISP1 SNAT_ISP2 SNAT_ISP3
exit-module
!
slb virtual-server INTERNET 0.0.0.0 acl 111
extended-stats
port 0 tcp
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_0
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
exit-module
port 0 udp
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_1
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
exit-module
port 0 others
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_0
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
exit-module
exit-module
in the CLI when i ping 8.8.8.8 using source interface ethernet 2,3 and 4 i can ping 8.8.8.8
but when i use source snap ip
ping source 100.100.101.2 8.8.8.8 (no response)
ping source 100.100.102.2 8.8.8.8 (no response)
ping source 100.100.103.2 8.8.8.8 (no response)
Thanks,
I don't believe testing with a ping source IP of a NAT pool is a valid option. You may wish to execute that command while running axdebug to see what's being sent / received.
Overall, your config looks correct. I don't see an "inside" interface configured, but I assume that's planned. However, you need not configure inside / outside NAT interfaces unless you're using "snat-on-vip".
users are unable to reach internet
trace shows traffic is going to A10 after that * * *
All my ISP interface are access ports
So it appears you're looking to run NHLD. A few thoughts:
Do you have "ip allow-promiscuous-vip" configured on your inside interface?
Do your slb servers, service-groups, and VIP show UP status?
Also, in my configs and also the admin guide, the NAT pools do not have a gateway defined. You may wish to try removing that.
Yes ip allow-promiscuous-vip is enable on inside interface
yes the status shows up
can you share any config example please?
Here's a lab config I've used. In this instance, 192.168.1.x was inside, 10.x.x.x was outside.
I do see in your config the following, which is incorrect syntax (at least in version 4.x). Pool group members should be one per line. What version are you running?
version 4.1.0-P7, build 10
still users traffic cannot browse internet
At this point I would suggest packet captures to validate the behavior of the A10 and/or contacting A10 Support for assistance. Seems that there is some other environment specific issue at play here.
Reviewing the captures, it appears that all of your TCP SYN packets have the same 2 destination IP's, and we never receive a SYN ACK from either of them. Also, I see no traffic with a destination port of 80 or 443.
The IP's do not align with the config you initially posted, so some of the context is lost.
what could be a reason for not receiving SYN ACK?
!Configuration last saved at 17:43:31 AST Thu Jan 30 2020
!64-bit Advanced Core OS (ACOS) version 4.1.0-P7, build 10 (Oct-29-2016,00:54)
!
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
access-list 111 permit ip 192.168.0.0 0.0.255.255 any
!
multi-config enable
!
terminal idle-timeout 60
!
ip dns primary 8.8.8.8
!
ip nat translation service-timeout udp 53 fast
!
vlan 2740
untagged ethernet 1
router-interface ve 2740
interface management
ip address 192.168.0.36 255.255.255.0
ip default-gateway 192.168.0.254
enable
!
interface ethernet 1
name "STC Link2"
enable
!
interface ethernet 2
name "MOBILY Link2"
enable
ip address 86.51.170.35 255.255.255.224
ip nat outside
!
interface ethernet 3
name "KACST Link2"
enable
ip address 212.26.63.179 255.255.255.248
ip nat outside
!
interface ethernet 4
name "A10 LAN PRI"
enable
ip address 192.168.4.131 255.255.255.248
ip nat inside
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ve 2740
ip address 37.224.22.164 255.255.255.240
!
!
ip nat pool SNAT_KACST_Link 212.26.63.180 212.26.63.180 netmask /29 gateway 212.26.63.177
!
ip nat pool SNAT_POOL_MOBILY 86.51.170.36 86.51.170.36 netmask /27 gateway 86.51.170.33
!
ip nat pool STC_SNAT_POOL 37.224.22.165 37.224.22.165 netmask /29 gateway 37.224.22.161
!
ip nat pool-group LLB2
member SNAT_KACST_Link
member SNAT_POOL_MOBILY
member STC_SNAT_POOL
!
ip nat inside source static 192.168.4.133 37.224.22.172
!
!
ip route 0.0.0.0 /0 37.224.22.161
!
ip route 10.1.52.0 /24 192.168.4.133
!
health monitor ping
!
slb template persist destination-ip dstpersist
!
slb template persist source-ip SRpersistent
!
slb template port KACST
source-nat SNAT_KACST_Link
!
slb template port STC
source-nat STC_SNAT_POOL
!
slb template port Mobily
source-nat SNAT_POOL_MOBILY
!
slb server KACST_Link 212.26.63.177
health-check ping
weight 2
port 0 udp
health-check-disable
port 0 tcp
health-check-disable
!
slb server MOBILY_LINK 86.51.170.33
health-check ping
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb server STC_Link 37.224.22.161
health-check ping
weight 3
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group IPV4_0 tcp
method weighted-least-connection
health-check ping
member KACST_Link 0
template KACST
member MOBILY_LINK 0
template Mobily
member STC_Link 0
template STC
!
slb service-group IPV4_1 udp
method weighted-least-connection
health-check ping
member KACST_Link 0
template KACST
member MOBILY_LINK 0
template Mobily
member STC_Link 0
template STC
!
slb virtual-server INTERNET 0.0.0.0 acl 111
extended-stats
port 0 tcp
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_0
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
port 0 udp
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_1
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
port 0 others
clientip-sticky-nat
source-nat pool LLB2
service-group IPV4_0
use-rcv-hop-for-resp
template persist destination-ip dstpersist
no-dest-nat
!
end
There are many possibilities for why the SYN ACK would not return. However, I think the bigger issue is that the A10 is not receiving any packets from either 10.0.0.0/8 or 192.168.0.0/16 networks. Do you have any hits on the ACLs?
Is there a NAT before the A10 or some strange routing?
A10 is the main device to do NAT
there is no egde firewall
How can i run debug in A10 or check acl hits?
ACL hits: show access-list
Debugging: axdebug
I would suggest using the "?" within axdebug to see the commands for filters etc.
SRC-PRI-A10-Active#sh access-list
access-list 111 4 permit ip 10.0.0.0 0.255.255.255 any Data plane hits: 0
access-list 111 8 permit ip 192.168.0.0 0.0.255.255 any Data plane hits: 0
This confirms that the A10 is not receiving traffic from those address spaces. It seems like traffic routing may not be acting as expected.