Source nat

We are setting up source NAT and the idea was to use the ve IP addresses for the associated vlan as the source NAT address in the pool.


I swear we had it setup like this in version 2.7.2P6. but since the upgrade it says we can not use the ve interface IP address as the source nat address in a pool.


Is there anyway of using the interface address as the source NAT now? Just trying to keep the number of IP addresses used down.

Comments

  • mdunnmdunn Member

    Hello -

    This should be possible with "Smart NAT" which will use the interface IP or VRRP Floating IP. Per admin guide:

    Smart NAT provides source NAT for virtual ports. The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A high availability is enabled and floating-IP addresses are configured:

    • With VRRP-A high availability – If VRRP-A high availability is configured, Smart NAT uses configured floating IP addresses as NAT addresses.

    • Without VRRP-A high availability – If VRRP-A high availability is not configured, then Smart NAT uses IP address(es) on the ACOS interface connected to the real server.

    The configuration is applied to the VPORT with "source nat auto" command.


    Mike

  • salman210salman210 Member

    my configuration is as below, kindly let me know what i am missing.

    !

    access-list 111 permit ip 10.0.0.0 0.255.255.255 any 

    !

    access-list 111 permit ip 192.168.0.0 0.0.255.255 any 

    !

    interface ethernet 2 

     name "ISP 1"

     enable 

     ip address 100.100.101.1 255.255.255.224 

     ip nat outside 

     exit-module

    !

    interface ethernet 3 

     name "ISP 2" 

     enable 

     ip address 100.100.102.1 255.255.255.224 

     ip nat outside 

     exit-module

    !

    interface ethernet 4 

     name "ISP 3" 

     enable 

      ip address 100.100.103.1 255.255.255.224 

     ip nat outside 

     exit-module

    !

    !

    ip nat pool SNAT_ISP1 100.100.101.2 100.100.101.2 netmask /29 gateway 100.100.100.254 

    !

    ip nat pool SNAT_ISP2 100.100.102.2 100.100.102.2 netmask /29 gateway 100.100.100.253 

    !

    ip nat pool SNAT_ISP3 100.100.103.2 100.100.103.2 netmask /29 gateway 100.100.100.252 

    !

    ip nat pool-group LLB2 

     member SNAT_ISP1  SNAT_ISP2 SNAT_ISP3

     exit-module


    !

    slb virtual-server INTERNET 0.0.0.0 acl 111 

     extended-stats 

     port 0 tcp 

      clientip-sticky-nat 

      source-nat pool LLB2 

      service-group IPV4_0 

      use-rcv-hop-for-resp 

      template persist destination-ip dstpersist 

      no-dest-nat 

      exit-module

     port 0 udp 

      clientip-sticky-nat 

      source-nat pool LLB2 

      service-group IPV4_1 

      use-rcv-hop-for-resp 

      template persist destination-ip dstpersist 

      no-dest-nat 

      exit-module

     port 0 others 

      clientip-sticky-nat 

      source-nat pool LLB2 

      service-group IPV4_0 

      use-rcv-hop-for-resp 

      template persist destination-ip dstpersist 

      no-dest-nat 

      exit-module

     exit-module

    in the CLI when i ping 8.8.8.8 using source interface ethernet 2,3 and 4 i can ping 8.8.8.8

    but when i use source snap ip

    ping source 100.100.101.2 8.8.8.8 (no response)

    ping source 100.100.102.2 8.8.8.8 (no response)

    ping source 100.100.103.2 8.8.8.8 (no response)



    Thanks,

  • mdunnmdunn Member

    I don't believe testing with a ping source IP of a NAT pool is a valid option. You may wish to execute that command while running axdebug to see what's being sent / received.

    Overall, your config looks correct. I don't see an "inside" interface configured, but I assume that's planned. However, you need not configure inside / outside NAT interfaces unless you're using "snat-on-vip".

  • salman210salman210 Member

    users are unable to reach internet

    trace shows traffic is going to A10 after that * * *

  • salman210salman210 Member

    All my ISP interface are access ports

  • mdunnmdunn Member

    So it appears you're looking to run NHLD. A few thoughts:

    Do you have "ip allow-promiscuous-vip" configured on your inside interface?

    Do your slb servers, service-groups, and VIP show UP status?

    Also, in my configs and also the admin guide, the NAT pools do not have a gateway defined. You may wish to try removing that.

  • salman210salman210 Member

    Yes ip allow-promiscuous-vip is enable on inside interface

    yes the status shows up

    can you share any config example please?

  • mdunnmdunn Member

    Here's a lab config I've used. In this instance, 192.168.1.x was inside, 10.x.x.x was outside.

    I do see in your config the following, which is incorrect syntax (at least in version 4.x). Pool group members should be one per line. What version are you running?

    ip nat pool-group LLB2 
     member SNAT_ISP1 SNAT_ISP2 SNAT_ISP3
     exit-module
    


  • salman210salman210 Member

    version 4.1.0-P7, build 10

  • salman210salman210 Member

    still users traffic cannot browse internet

  • mdunnmdunn Member

    At this point I would suggest packet captures to validate the behavior of the A10 and/or contacting A10 Support for assistance. Seems that there is some other environment specific issue at play here.

  • mdunnmdunn Member

    Reviewing the captures, it appears that all of your TCP SYN packets have the same 2 destination IP's, and we never receive a SYN ACK from either of them. Also, I see no traffic with a destination port of 80 or 443.

    The IP's do not align with the config you initially posted, so some of the context is lost.

  • salman210salman210 Member

    what could be a reason for not receiving SYN ACK?

  • salman210salman210 Member
    edited January 30

    !Configuration last saved at 17:43:31 AST Thu Jan 30 2020

    !64-bit Advanced Core OS (ACOS) version 4.1.0-P7, build 10 (Oct-29-2016,00:54)

    !

    access-list 111 permit ip 10.0.0.0 0.255.255.255 any

    !

    access-list 111 permit ip 192.168.0.0 0.0.255.255 any

    !

    multi-config enable

    !

    terminal idle-timeout 60

    !

    ip dns primary 8.8.8.8

    !

    ip nat translation service-timeout udp 53 fast

    !

    vlan 2740

     untagged ethernet 1

     router-interface ve 2740

    interface management

     ip address 192.168.0.36 255.255.255.0

     ip default-gateway 192.168.0.254

     enable

    !

    interface ethernet 1

     name "STC Link2"

     enable

    !

    interface ethernet 2

     name "MOBILY Link2"

     enable

     ip address 86.51.170.35 255.255.255.224

     ip nat outside

    !

    interface ethernet 3

     name "KACST Link2"

     enable

     ip address 212.26.63.179 255.255.255.248

     ip nat outside

    !

    interface ethernet 4

     name "A10 LAN PRI"

     enable

     ip address 192.168.4.131 255.255.255.248

     ip nat inside

    !

    interface ethernet 5

    !

    interface ethernet 6

    !

    interface ethernet 7

    !

    interface ve 2740

     ip address 37.224.22.164 255.255.255.240

    !

    !

    ip nat pool SNAT_KACST_Link 212.26.63.180 212.26.63.180 netmask /29 gateway 212.26.63.177

    !

    ip nat pool SNAT_POOL_MOBILY 86.51.170.36 86.51.170.36 netmask /27 gateway 86.51.170.33

    !

    ip nat pool STC_SNAT_POOL 37.224.22.165 37.224.22.165 netmask /29 gateway 37.224.22.161

    !

    ip nat pool-group LLB2

     member SNAT_KACST_Link

     member SNAT_POOL_MOBILY

     member STC_SNAT_POOL

    !

    ip nat inside source static 192.168.4.133 37.224.22.172

    !

    !

    ip route 0.0.0.0 /0 37.224.22.161

    !

    ip route 10.1.52.0 /24 192.168.4.133

    !

    health monitor ping

    !

    slb template persist destination-ip dstpersist

    !

    slb template persist source-ip SRpersistent

    !

    slb template port KACST

     source-nat SNAT_KACST_Link

    !

    slb template port STC

     source-nat STC_SNAT_POOL

    !

    slb template port Mobily

     source-nat SNAT_POOL_MOBILY

    !

    slb server KACST_Link 212.26.63.177

     health-check ping

     weight 2

     port 0 udp

      health-check-disable

     port 0 tcp

      health-check-disable

    !

    slb server MOBILY_LINK 86.51.170.33

     health-check ping

     port 0 tcp

      health-check-disable

     port 0 udp

      health-check-disable

    !

    slb server STC_Link 37.224.22.161

     health-check ping

     weight 3

     port 0 tcp

      health-check-disable

     port 0 udp

      health-check-disable

    !

    slb service-group IPV4_0 tcp

     method weighted-least-connection

     health-check ping

     member KACST_Link 0

      template KACST

     member MOBILY_LINK 0

      template Mobily

     member STC_Link 0

      template STC

    !

    slb service-group IPV4_1 udp

     method weighted-least-connection

     health-check ping

     member KACST_Link 0

      template KACST

     member MOBILY_LINK 0

      template Mobily

     member STC_Link 0

      template STC

    !

    slb virtual-server INTERNET 0.0.0.0 acl 111

     extended-stats

     port 0 tcp

      clientip-sticky-nat

      source-nat pool LLB2

      service-group IPV4_0

      use-rcv-hop-for-resp

      template persist destination-ip dstpersist

      no-dest-nat

     port 0 udp

      clientip-sticky-nat

      source-nat pool LLB2

      service-group IPV4_1

      use-rcv-hop-for-resp

      template persist destination-ip dstpersist

      no-dest-nat

     port 0 others

      clientip-sticky-nat

      source-nat pool LLB2

      service-group IPV4_0

      use-rcv-hop-for-resp

      template persist destination-ip dstpersist

      no-dest-nat

    !

    end

  • mdunnmdunn Member

    There are many possibilities for why the SYN ACK would not return. However, I think the bigger issue is that the A10 is not receiving any packets from either 10.0.0.0/8 or 192.168.0.0/16 networks. Do you have any hits on the ACLs?

    Is there a NAT before the A10 or some strange routing?

  • salman210salman210 Member

    A10 is the main device to do NAT

    there is no egde firewall

    How can i run debug in A10 or check acl hits?

  • mdunnmdunn Member

    ACL hits: show access-list

    Debugging: axdebug

    I would suggest using the "?" within axdebug to see the commands for filters etc.

  • salman210salman210 Member

    SRC-PRI-A10-Active#sh access-list

    access-list 111 4 permit ip 10.0.0.0 0.255.255.255 any Data plane hits: 0

    access-list 111 8 permit ip 192.168.0.0 0.0.255.255 any Data plane hits: 0

  • mdunnmdunn Member

    This confirms that the A10 is not receiving traffic from those address spaces. It seems like traffic routing may not be acting as expected.

Sign In or Register to comment.