Static NAT

Marlon_Juarez

Hello!

I would like to request your help, I have a thunder which is performing the nhld function with two ISPs and 3 published sites, internet browsing and published sites work correctly, but there is a nateo that is made from one of the ISPs to a Private IP address (LAN) this nateo is used for SSL VPN connection in a Firewall

I have tried to configure static NAT, Pool NAT, server with the IP of the destination but with none of the above options the request we failed to reach the VPN on the firewall, the firewall did manage to reach it but not the SSL VPN on the firewall

This is the configuration

!64-bit Advanced Core OS (ACOS) version 5.2.1-P9, build 72 (Nov-28-2023,00:39)
!
vrrp-a common
device-id 2
set-id 1
enable
exit-module
!
vcs enable
!
device-context 1
vcs enable
!
device-context 2
vcs enable
!
vcs floating-ip 172.1.1.221 255.255.255.0
!
vcs device 1
priority 125
interfaces management
enable
exit-module
!
vcs device 2
priority 100
interfaces management
enable
exit-module
!
authentication type local radius ldap
authentication login privilege-mode
authentication mode multiple
!
authentication console type local radius ldap

!
multi-config enable
!
ip dns primary 1.1.1.1
!
ip dns secondary 172.1.1.202
!
ip nat-global reset-idle-tcp-conn
!
vlan 1/4089
untagged ethernet 2
router-interface ve 4089
name VLAN_ISP1
exit-module
!
vlan 1/4091
untagged ethernet 3
router-interface ve 4091
name VLAN_ISP2
exit-module
!
vlan 1/4094
untagged ethernet 1
router-interface ve 4094
name VLAN_LAN
exit-module
!
vlan 2/4089
untagged ethernet 2
router-interface ve 4089
name VLAN_ISP1
exit-module
!
vlan 2/4091
untagged ethernet 3
router-interface ve 4091
name VLAN_ISP2
exit-module
!
vlan 2/4094
untagged ethernet 1
router-interface ve 4094
name VLAN_LAN
exit-module
!
vrrp-a vrid 0
exit-module
!
device-context 1
hostname thunder1
!
device-context 2
hostname thunder2
!
device-context 1
timezone America/Swift_Current
!
device-context 2
timezone America/Swift_Current
!
device-context 1
interface management
ip address 172.1.1.218 255.255.255.0
ip default-gateway 172.1.1.1
exit-module
!
device-context 2
interface management
ip address 172.1.1.219 255.255.255.0
ip default-gateway 172.1.1.1
exit-module
!
interface ethernet 1/1
enable
exit-module
!
interface ethernet 1/2
enable
exit-module
!
interface ethernet 1/3
enable
exit-module
!
interface ethernet 1/4
exit-module
!
interface ethernet 1/5
exit-module
!
interface ethernet 1/6
exit-module
!
interface ethernet 1/7
exit-module
!
interface ethernet 1/8
exit-module
!
interface ethernet 1/9
exit-module
!
interface ethernet 1/10
exit-module
!
interface ethernet 1/11
exit-module
!
interface ethernet 1/12
exit-module
!
interface ethernet 1/13
exit-module
!
interface ethernet 2/1
enable
ip nat inside
exit-module
!
interface ethernet 2/2
enable
ip nat outside
exit-module
!
interface ethernet 2/3
enable
exit-module
!
interface ethernet 2/4
exit-module
!
interface ethernet 2/5
exit-module
!
interface ethernet 2/6
exit-module
!
interface ethernet 2/7
exit-module
!
interface ethernet 2/8
exit-module
!
interface ethernet 2/9
exit-module
!
interface ethernet 2/10
exit-module
!
interface ethernet 2/11
exit-module
!
interface ethernet 2/12
exit-module
!
interface ethernet 2/13
exit-module
!
interface ve 1/4089
ip address 250.14.30.8 255.255.255.224

ip nat outside

exit-module
!
interface ve 1/4091
ip address 240.13.31.9 255.255.255.240
exit-module
!
interface ve 1/4094
ip address 170.116.151.139 255.255.255.0
ip allow-promiscuous-vip

ip nat inside
exit-module
!
interface ve 2/4089
ip address 250.14.30.9 255.255.255.224
ip nat outside
exit-module
!
interface ve 2/4091
ip address 240.13.31.10 255.255.255.240
exit-module
!
interface ve 2/4094
ip address 172.116.151.140 255.255.255.0
ip allow-promiscuous-vip
ip nat inside
exit-module
!
vrrp-a vrid 0
floating-ip 172.116.151.141
floating-ip 250.14.30.11
floating-ip 240.13.31.11
device-context 1
blade-parameters
priority 150
exit-module
device-context 2
blade-parameters
priority 140
exit-module
exit-module
!
vrrp-a interface ethernet 1/1
exit-module
!
vrrp-a interface ethernet 1/2
exit-module
!
vrrp-a interface ethernet 1/3
exit-module
!
vrrp-a interface ethernet 2/1
exit-module
!
vrrp-a interface ethernet 2/2
exit-module
!
vrrp-a interface ethernet 2/3
exit-module
!
device-context 1
disable-management service ping
ethernet 1 to 13
exit-module
!
device-context 2
disable-management service ping
ethernet 1 to 13
exit-module
!
device-context 1
disable-management service ntp
ethernet 1 to 13
ve 4089
ve 4091
ve 4094
exit-module
!
device-context 2
disable-management service ntp
ethernet 1 to 13
ve 4089
ve 4091
ve 4094
exit-module
!
device-context 1
ip route 0.0.0.0 /0 250.14.30.1 1 description "ISP1"
ip route 0.0.0.0 /0 240.13.31.1 1 description "ISP2"
ip route 0.0.0.0 /0 172.116.151.130 1 description LAN
!
device-context 2
ip route 0.0.0.0 /0 250.14.30.1 1 description "ISP1"
ip route 0.0.0.0 /0 240.13.31.1 1 description "ISP2"
ip route 0.0.0.0 /0 172.116.151.130 1 description LAN
!
ip nat pool VPN_ISP1 250.14.30.2 250.14.30.2 netmask /27 gateway 250.14.30.1
!
ip nat pool pool_ISP2 240.13.31.8 240.13.31.8 netmask /28 gateway 240.13.31.1
!
ip nat pool pool_ISP2 250.14.30.8 250.14.30.8 netmask /27 gateway 250.14.30.1
!
ip nat pool-group POOLNAVEGACION
member pool_ISP1
member pool_ISP2
exit-module
!
!
slb template link-probe Prueba_NAVEGACION
probe-interval 2
probes-per-test 10
test-interval 10
selection-rule threshold
user-tag NHLD_TM
destination hostname www.a10networks.com resolve-to-ipv4
exit-module
!
slb template port platilla_pool_nave
source-nat POOLNAVEGACION
exit-module
!
slb template port plantilla_pool_navega
source-nat POOLNAVEGACION
exit-module
!
slb server nodo_gw_ISP2 240.13.31.1
health-check ping
port 0 tcp
health-check ping
exit-module
port 0 udp
exit-module
exit-module
!
slb server nodo_gw_ISP1 250.14.30.1
port 0 tcp
health-check ping
exit-module
port 0 udp
exit-module
exit-module
!
slb server nodo_mail 172.116.151.132
health-check ping
port 25 tcp
exit-module
port 25 udp
exit-module
exit-module
!
slb server nodo_portal1 172.116.151.144
health-check ping
port 443 tcp
exit-module
port 443 udp
exit-module
exit-module
!
slb server nodo_portal2 172.116.151.145
health-check ping
port 443 tcp
exit-module
port 443 udp
exit-module
exit-module
!
slb server s_VPN_NAVEGA 172.116.151.130
port 443 tcp
health-check ping
exit-module
exit-module
!
slb service-group pool_gw tcp
health-check ping
member nodo_gw_ISP1 0
exit-module
member nodo_gw_ISP2 0
exit-module
exit-module
!
slb service-group pool_gw_udp udp
health-check ping
member nodo_gw_ISP2 0
exit-module
member nodo_gw_ISP1 0
exit-module
exit-module
!
slb service-group pool_portal1 tcp
health-check ping
member nodo_portal1 443
exit-module
exit-module
!
slb service-group pool_portal1_UDP udp
health-check ping
member nodo_portal1 443
exit-module
exit-module
!
slb service-group pool_portal2 tcp
health-check ping
member nodo_portal2 443
exit-module
exit-module
!
slb service-group pool_portal2_UDP udp
health-check ping
member nodo_portal2 443
exit-module
exit-module
!
slb service-group pool_vpn tcp
member s_VPN_NAVEGA 443
exit-module
exit-module
!
slb service-group pool_webmail tcp
health-check ping
member nodo_mail 25
exit-module
exit-module
!
slb service-group pool_webmail_UDP udp
health-check ping
member nodo_mail 25
exit-module
exit-module
!
slb virtual-server VS_GW 0.0.0.0
port 0 others
name VP_VS_GW_OTHERS
clientip-sticky-nat
source-nat pool POOLNAVEGACION
service-group pool_gw_udp
no-dest-nat
exit-module
port 0 tcp
name VP_VS_GW_TCP
clientip-sticky-nat
source-nat pool POOLNAVEGACION
service-group pool_gw
no-dest-nat
exit-module
port 0 udp
name VP_VS_GW_UDP
clientip-sticky-nat
source-nat pool POOLNAVEGACION
service-group pool_gw_udp
no-dest-nat
exit-module
exit-module
!
slb virtual-server VS_VPN_NAVEGA 250.14.30.2 /0
port 443 tcp
name tcp
source-nat pool VPN_NAVEGA
service-group pool_vpn
exit-module
exit-module
!
slb virtual-server vs_mail_ISP2 240.13.31.3 /0
port 25 smtp
name vp_vs_mail_ISP2
clientip-sticky-nat
source-nat auto
service-group pool_webmail
exit-module
port 25 udp
name vp_vs_mail_ISP2_UDP
clientip-sticky-nat
source-nat auto
service-group pool_webmail_UDP
exit-module
exit-module
!
slb virtual-server vs_mail_ISP1 250.14.30.3 /0
port 25 smtp
name vp_vs_mail_ISP1
clientip-sticky-nat
source-nat auto
service-group pool_webmail
exit-module
port 25 udp
name vp_vs_mail_ISP1_udp
clientip-sticky-nat
source-nat auto
service-group pool_webmail_UDP
exit-module
exit-module
!
slb virtual-server vs_portal1_ISP2 240.13.3.12 /0
port 443 tcp
name TCP
clientip-sticky-nat
source-nat auto
service-group pool_portalpo
exit-module
port 443 udp
name vp_vs_portalpo_claro2024
clientip-sticky-nat
source-nat auto
service-group pool_portalpo_UDP
exit-module
exit-module
!
slb virtual-server vs_portal1_ISP1 250.14.30.12 /0
port 443 tcp
name TCP_TP
clientip-sticky-nat
source-nat auto
service-group pool_portal1
exit-module
port 443 udp
name vp_vs_portal1_ISP1_udp
clientip-sticky-nat
source-nat auto
service-group pool_portal1_UDP
exit-module
exit-module
!
slb virtual-server vs_portal2_ISP2 240.13.3.7 /0
port 443 tcp
name TCP_PortPruebas
clientip-sticky-nat
source-nat auto
service-group pool_portal2
exit-module
port 443 udp
name vp_vs_portal2_ISP2_udp
clientip-sticky-nat
source-nat auto
service-group pool_portal2_UDP
exit-module
exit-module
!
slb virtual-server vs_portal2_ISP1 250.14.30.7 /0
port 443 tcp
name TCP_PORT2
clientip-sticky-nat
source-nat auto
service-group pool_portal2
exit-module
port 443 udp
name vp_vs_portal2_ISP1_udp
clientip-sticky-nat
source-nat auto
service-group pool_portal2_UDP
exit-module
exit-module
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343

!rba-config-start
!

!rba-config-end
!
end

Thanks for your help!

mdunn

For the VPN connection, what is the destination IP? Is that destination IP one of the VIPs on the A10?

If you do a "show slb virtual-server" command, do you stats incrementing on the VIP you are trying to hit?

Marlon_Juarez

Hello!

I tried to configure it in several ways, with a nat pool, static nat so that a 1 to 1 nat was done, and also with a Virtual Server

When it is configured through VS, I can see that the input and output statistics increase, but I cannot connect to either the IP or the VPN search name.

At the moment I still cannot connect remotely to my VPN

mdunn

Is this the VIP for VPN connection? VS_VPN_NAVEGA

The configuration looks correct for SNAT to use the pool. Can you check the NAT pool statistics with:

show ip nat pool statistics

Also, the SLB server for this connection is "slb server s_VPN_NAVEGA 172.116.151.130", and I do not see a route for this network. You also have 3 default routes, so I am not sure which interface will forward the traffic.

Can you create a static route for this host or subnet (172.116.151.130) with the appropriate next hop defined?