nat-map

Description

The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound traffic.

Two use cases illustrate the need for NAT:

1	Inbound NAT. The appliance automatically creates a source NAT map when retrieving subnet information from the Silver Peak Cloud portal. This ensures that traffic destined to SaaS servers has a return path to the appliance from which that traffic originated.

2	Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. For example, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.

 

For deployments in the cloud, best practice is to NAT all traffic — either inbound (WAN-to-LAN) or outbound (LAN-to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific IP addressing requirements.

n	Enabling NAT on inbound traffic applies NAT policies to pass-through traffic as well as optimized traffic, ensuring that black-holing doesn't occur. Enabling NAT on outbound traffic only applies to pass-through traffic.

n	If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the current NAT IP.

In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.

 

There are two types of NAT policies:

n

Dynamic – created automatically by the system for inbound NAT when the SaaS Optimization feature is enabled and SaaS service(s) are selected for optimization. The appliance polls the Silver Peak Unity Cloud Intelligence service for a directory of SaaS services, and NAT policies are created for each of the subnets associated with selected SaaS service(s), ensuring that traffic destined for servers in use by those SaaS services has a return path to the appliance.

n

Manual – created by the administrator for specific IP addresses / ranges or subnets. When assigning priority numbers to individual policies within a NAT map, first view dynamic policies to ensure that the manual numbering scheme doesn't interfere with dynamic policy numbering (that is, the manually assigned priority numbers cannot be in the range: 40000-50000). The default (no-NAT) policy is numbered 65535.

 

NAT maps are comprised of ordered entries. Each map entry consists of a match statement paired with a set action. Set actions are specific to the type of map.

A NAT map entry can match traffic that satisfies either a pre-defined ACL or any of the following attributes:

n	ICMP or IP Protocol

n	Source IP Address / Subnet

n	Destination IP Address / Subnet

n	Application (standard or user-defined, or a user-defined application group)

n	Source Port Number

n	Destination Port Number

n	DSCP value

n

VLAN

If you want to reuse the same match criteria in more than one map, you can pre-define ACLs, which are, essentially, reusable match statements.

Set actions are specific to the type of map. A NAT map has set actions for the following features:

n

NAT type

n	NAT direction

n

NAT IP

n

Fallback

 

Map entries are ordered according to their assigned priorities. Priorities identify, as well as order, entries within a map. Across entries, all priority values must be unique (in other words, no two entries in a given map can have the same priority value). match

In the following example, we’ll add a new entry, with a priority of 50, to the default map, map1. The first statement matches all traffic associated with the application, AOL. The second statement causes the source address and the source port to change in the IP header of that inbound traffic:

(config) # nat-map map1 50 match app aol

(config) # nat-map map1 50 set nat-type source-nat direction inbound

If you enter a new priority statement for an existing map, the CLI adds that entry to the map. However, if the map already has a match or set statement with the same priority, the new entry overwrites the previous one (and the CLI does not provide a warning).

If you want to create a new map, the CLI creates the map the first time you name it in a match statement.

Every map automatically includes a default entry with the priority, 65535, the highest possible number.

By default, one map is always active. You can change the active map at any time, simply by activating a different map.

See Also

See the following related commands:

n	“nat-map match”

n	“nat-map set”

n	“nat-map activate”

n	“nat-map comment”

n	“no nat-map”

n	“nat-map modify-priority”

n	“show nat-map”

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.