Source nat

salman210 · January 27, 2020, 6:23pm

We are setting up source NAT and the idea was to use the ve IP addresses for the associated vlan as the source NAT address in the pool.

I swear we had it setup like this in version 2.7.2P6. but since the upgrade it says we can not use the ve interface IP address as the source nat address in a pool.

Is there anyway of using the interface address as the source NAT now? Just trying to keep the number of IP addresses used down.

mdunn · January 27, 2020, 8:14pm

Hello -
This should be possible with “Smart NAT” which will use the interface IP or VRRP Floating IP. Per admin guide:
Smart NAT provides source NAT for virtual ports. The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A high availability is enabled and floating-IP addresses are configured:
• With VRRP-A high availability – If VRRP-A high availability is configured, Smart NAT uses configured floating IP addresses as NAT addresses.
• Without VRRP-A high availability – If VRRP-A high availability is not configured, then Smart NAT uses IP address(es) on the ACOS interface connected to the real server.
The configuration is applied to the VPORT with “source nat auto” command.

Mike

salman210 · January 28, 2020, 5:24am

my configuration is as below, kindly let me know what i am missing.
!
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
access-list 111 permit ip 192.168.0.0 0.0.255.255 any
!
interface ethernet 2
name “ISP 1”
enable
ip address 100.100.101.1 255.255.255.224
ip nat outside
exit-module
!
interface ethernet 3
name “ISP 2”
enable
ip address 100.100.102.1 255.255.255.224
ip nat outside
exit-module
!
interface ethernet 4
name “ISP 3”
enable
ip address 100.100.103.1 255.255.255.224
ip nat outside
exit-module
!
!
ip nat pool SNAT_ISP1 100.100.101.2 100.100.101.2 netmask /29 gateway 100.100.100.254
!
ip nat pool SNAT_ISP2 100.100.102.2 100.100.102.2 netmask /29 gateway 100.100.100.253
!
ip nat pool SNAT_ISP3 100.100.103.2 100.100.103.2 netmask /29 gateway 100.100.100.252
!
ip nat pool-group LLB2
member SNAT_ISP1 SNAT_ISP2 SNAT_ISP3
exit-module

!
slb virtual-server INTERNET 0.0.0.0 acl 111
extended-stats
port 0 tcp
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_0
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
  exit-module
port 0 udp
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_1
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
  exit-module
port 0 others
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_0
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
  exit-module
exit-module
in the CLI when i ping 8.8.8.8 using source interface ethernet 2,3 and 4 i can ping 8.8.8.8
but when i use source snap ip
ping source 100.100.101.2 8.8.8.8 (no response)
ping source 100.100.102.2 8.8.8.8 (no response)
ping source 100.100.103.2 8.8.8.8 (no response)

Thanks,

mdunn · January 28, 2020, 4:53pm

I don’t believe testing with a ping source IP of a NAT pool is a valid option. You may wish to execute that command while running axdebug to see what’s being sent / received.
Overall, your config looks correct. I don’t see an “inside” interface configured, but I assume that’s planned. However, you need not configure inside / outside NAT interfaces unless you’re using “snat-on-vip”.

salman210 · January 28, 2020, 4:58pm

users are unable to reach internet
trace shows traffic is going to A10 after that * * *

salman210 · January 28, 2020, 5:00pm

All my ISP interface are access ports

mdunn · January 28, 2020, 5:07pm

So it appears you’re looking to run NHLD. A few thoughts:
Do you have “ip allow-promiscuous-vip” configured on your inside interface?
Do your slb servers, service-groups, and VIP show UP status?
Also, in my configs and also the admin guide, the NAT pools do not have a gateway defined. You may wish to try removing that.

salman210 · January 28, 2020, 5:12pm

Yes ip allow-promiscuous-vip is enable on inside interface
yes the status shows up
can you share any config example please?

mdunn · January 28, 2020, 7:47pm

Here’s a lab config I’ve used. In this instance, 192.168.1.x was inside, 10.x.x.x was outside.
I do see in your config the following, which is incorrect syntax (at least in version 4.x). Pool group members should be one per line. What version are you running?

ip nat pool-group LLB2 
 member SNAT_ISP1 SNAT_ISP2 SNAT_ISP3
 exit-module

nhld_lab.txt (2.21 KB)

salman210 · January 28, 2020, 7:53pm

version 4.1.0-P7, build 10

salman210 · January 29, 2020, 8:30am

still users traffic cannot browse internet

mdunn · January 29, 2020, 5:00pm

At this point I would suggest packet captures to validate the behavior of the A10 and/or contacting A10 Support for assistance. Seems that there is some other environment specific issue at play here.

salman210 · January 30, 2020, 11:09am

axdebug_file_2020-01-29_06-49-33.tar.gz (60.6 KB)

mdunn · January 30, 2020, 3:00pm

Reviewing the captures, it appears that all of your TCP SYN packets have the same 2 destination IP’s, and we never receive a SYN ACK from either of them. Also, I see no traffic with a destination port of 80 or 443.
The IP’s do not align with the config you initially posted, so some of the context is lost.

salman210 · January 30, 2020, 3:47pm

what could be a reason for not receiving SYN ACK?

salman210 · January 30, 2020, 3:51pm

!Configuration last saved at 17:43:31 AST Thu Jan 30 2020
!64-bit Advanced Core OS (ACOS) version 4.1.0-P7, build 10 (Oct-29-2016,00:54)
!
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
access-list 111 permit ip 192.168.0.0 0.0.255.255 any
!
multi-config enable
!
terminal idle-timeout 60
!
ip dns primary 8.8.8.8
!
ip nat translation service-timeout udp 53 fast
!
vlan 2740
untagged ethernet 1
router-interface ve 2740
interface management
ip address 192.168.0.36 255.255.255.0
ip default-gateway 192.168.0.254
enable
!
interface ethernet 1
name “STC Link2”
enable
!
interface ethernet 2
name “MOBILY Link2”
enable
ip address 86.51.170.35 255.255.255.224
ip nat outside
!
interface ethernet 3
name “KACST Link2”
enable
ip address 212.26.63.179 255.255.255.248
ip nat outside
!
interface ethernet 4
name “A10 LAN PRI”
enable
ip address 192.168.4.131 255.255.255.248
ip nat inside
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ve 2740
ip address 37.224.22.164 255.255.255.240
!
!
ip nat pool SNAT_KACST_Link 212.26.63.180 212.26.63.180 netmask /29 gateway 212.26.63.177
!
ip nat pool SNAT_POOL_MOBILY 86.51.170.36 86.51.170.36 netmask /27 gateway 86.51.170.33
!
ip nat pool STC_SNAT_POOL 37.224.22.165 37.224.22.165 netmask /29 gateway 37.224.22.161
!
ip nat pool-group LLB2
member SNAT_KACST_Link
member SNAT_POOL_MOBILY
member STC_SNAT_POOL
!
ip nat inside source static 192.168.4.133 37.224.22.172
!
!
ip route 0.0.0.0 /0 37.224.22.161
!
ip route 10.1.52.0 /24 192.168.4.133
!
health monitor ping
!
slb template persist destination-ip dstpersist
!
slb template persist source-ip SRpersistent
!
slb template port KACST
source-nat SNAT_KACST_Link
!
slb template port STC
source-nat STC_SNAT_POOL
!
slb template port Mobily
source-nat SNAT_POOL_MOBILY
!
slb server KACST_Link 212.26.63.177
health-check ping
weight 2
port 0 udp
  health-check-disable
port 0 tcp
  health-check-disable
!
slb server MOBILY_LINK 86.51.170.33
health-check ping
port 0 tcp
  health-check-disable
port 0 udp
  health-check-disable
!
slb server STC_Link 37.224.22.161
health-check ping
weight 3
port 0 tcp
  health-check-disable
port 0 udp
  health-check-disable
!
slb service-group IPV4_0 tcp
method weighted-least-connection
health-check ping
member KACST_Link 0
  template KACST
member MOBILY_LINK 0
  template Mobily
member STC_Link 0
  template STC
!
slb service-group IPV4_1 udp
method weighted-least-connection
health-check ping
member KACST_Link 0
  template KACST
member MOBILY_LINK 0
  template Mobily
member STC_Link 0
  template STC
!
slb virtual-server INTERNET 0.0.0.0 acl 111
extended-stats
port 0 tcp
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_0
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
port 0 udp
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_1
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
port 0 others
  clientip-sticky-nat
  source-nat pool LLB2
  service-group IPV4_0
  use-rcv-hop-for-resp
  template persist destination-ip dstpersist
  no-dest-nat
!
end

mdunn · January 30, 2020, 8:24pm

There are many possibilities for why the SYN ACK would not return. However, I think the bigger issue is that the A10 is not receiving any packets from either 10.0.0.0/8 or 192.168.0.0/16 networks. Do you have any hits on the ACLs?
Is there a NAT before the A10 or some strange routing?

salman210 · January 30, 2020, 8:55pm

A10 is the main device to do NAT
there is no egde firewall
How can i run debug in A10 or check acl hits?

mdunn · January 30, 2020, 9:37pm

ACL hits: show access-list
Debugging: axdebug
I would suggest using the “?” within axdebug to see the commands for filters etc.

salman210 · February 2, 2020, 2:24pm

SRC-PRI-A10-Active#sh access-list
access-list 111 4 permit ip 10.0.0.0 0.255.255.255 any Data plane hits: 0
access-list 111 8 permit ip 192.168.0.0 0.0.255.255 any Data plane hits: 0

Discussion		Replies	Views
Source NAT pool and virtual ethernet address ADC - Application Delivery	3	2151	January 28, 2020
IP Source NAT System	1	81	December 17, 2012
Real Server NAT (South-North) when access Internet System	2	51	April 4, 2016
How can I use a VS IP as a source NAT in WILDCARD VS ADC - Application Delivery snat , nhld , slb-adc , virtual-server-vip	4	231	January 31, 2024
SNAT-ON-VIP ADC - Application Delivery	1	1542	August 12, 2020

Source nat

Related topics