ADC

INAT

When a client sends a packet to a Citrix ADC appliance that is configured for Inbound Network Address Translation (INAT), the appliance translates the packet’s public destination IP address to a private destination IP address and forwards the packet to the server at that address.

The following configurations are supported:

  • IPv4-IPv4 Mapping: A public IPv4 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv4 server. The Citrix ADC appliance translates the packet’s public destination IP address to the destination IP address of the server and forwards the packet to the server at that address.
  • IPv4-IPv6 Mapping: A public IPv4 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv6 server. The Citrix ADC appliance creates an IPv6 request packet with the IP address of the IPv6 server as the destination IP address.
  • IPv6-IPv4 Mapping: A public IPv6 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv4 server. The Citrix ADC appliance creates an IPv4 request packet with the IP address of the IPv4 server as the destination IP address.
  • IPv6-IPv6 Mapping: A public IPv6 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv6 server. The Citrix ADC appliance translates the packet’s public destination IP address to the destination IP address of the server and forwards the packet to the server at that address.

When the appliance forwards a packet to a server, the source IP address assigned to the packet is determined as follows:

  • If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled, the appliance uses a subnet IP address (SNIP) as the source IP address.
  • If USNIP mode is disabled and USIP mode is disabled, the appliance uses a mapped IP address (MIP) as the source IP address.
  • If USIP mode is enabled, and USNIP mode is disabled the appliance uses the client IP (CIP) address as the source IP address.
  • If both USIP and USNIP modes are enabled, USIP mode takes precedence.
  • You can also configure the Citrix ADC to use a unique IP address as the source IP address, by setting the proxyIP parameter.
  • If none of the above modes are enabled and a unique IP address has not been specified, the Citrix ADC attempts to use a MIP as the source IP address.
  • If both USIP and USNIP modes are enabled and a unique IP address has been specified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.

To protect the Citrix ADC from DoS attacks, you can enable TCP proxy. However, if other protection mechanisms are used in your network, you may want to disable them.

Configure INAT

You can create, modify, or remove an INAT entry.

CLI procedures

To create an INAT entry by using the CLI:

At the command prompt, type the following commands to create an INAT entry and verify its configuration:

  • **add inat** <name> <publicIP> <privateIP> [-**tcpproxy** ( **ENABLED** | **DISABLED** )] [-**ftp** ( **ENABLED** | **DISABLED** )] [-**usip** ( **ON** | **OFF** )] [-**usnip** ( **ON** | **OFF** )] [-**proxyIP** <ip_addr|ipv6_addr>]
  • show inat [<name>]

Example:

> add inat ip4-ip4 172.16.1.2 192.168.1.1 -proxyip 10.102.29.171
 Done
<!--NeedCopy-->

To modify an INAT entry by using the CLI:

To modify an INAT entry, type the **set inat **command, the name of the entry, and the parameters to be changed, with their new values.

To remove an INAT configuration by using the CLI:

At the command prompt, type:

  • rm inat <name>

Example:

> rm inat ip4-ip4
 Done
<!--NeedCopy-->

GUI procedures

To configure an INAT entry by using the GUI:

Navigate to System > Network > Routes > INAT, and add a new INAT entry or edit an existing INAT entry.

To remove an INAT configuration by using the GUI:

Navigate to System > Network > Routes > INAT, delete the INAT configuration.

INAT