Inbound Network Address Translation

When a client sends a packet to a Citrix ADC appliance that is configured for Inbound Network Address Translation (INAT), the appliance translates the packet’s public destination IP address to a private destination IP address and forwards the packet to the server at that address.

The following configurations are supported:

  • IPv4-IPv4 Mapping: A public IPv4 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv4 server. The Citrix ADC appliance translates the packet’s public destination IP address to the destination IP address of the server. Then the appliance forwards the packet to the server at that address.
  • IPv4-IPv6 Mapping: A public IPv4 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv6 server. The Citrix ADC appliance creates an IPv6 request packet with the IP address of the IPv6 server as the destination IP address.
  • IPv6-IPv4 Mapping: A public IPv6 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv4 server. The Citrix ADC appliance creates an IPv4 request packet with the IP address of the IPv4 server as the destination IP address.
  • IPv6-IPv6 Mapping: A public IPv6 address on the Citrix ADC appliance listens to connection requests on behalf of a private IPv6 server. The Citrix ADC appliance translates the packet’s public destination IP address to the destination IP address of the server. Then the appliance forwards the packet to the server at that address.

When the appliance forwards a packet to a server, the source IP address assigned to the packet is determined as follows:

  • If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled, the appliance uses a subnet IP address (SNIP) as the source IP address.
  • If USIP mode is enabled, and USNIP mode is disabled the appliance uses the client IP (CIP) address as the source IP address.
  • If both USIP and USNIP modes are enabled, USIP mode takes precedence.
  • You can also configure the Citrix ADC to use a unique IP address as the source IP address, by setting the proxyIP parameter.
  • If none of the above modes are enabled and a unique IP address has not been specified, the Citrix ADC attempts to use a MIP as the source IP address.
  • If both USIP and USNIP modes are enabled and a unique IP address has been specified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.

To protect the Citrix ADC from DoS attacks, you can enable TCP proxy. However, if other protection mechanisms are used in your network, you can disable them.

Configure INAT rules

You can create, modify, or remove an INAT entry.

CLI procedures

To create an INAT entry by using the CLI:

At the command prompt, type the following commands to create an INAT entry and verify its configuration:

  • add inat <name> <publicIP> <privateIP> [-tcpproxy (ENABLED | DISABLED)] [-ftp (ENABLED | DISABLED)] [-usip (ON | OFF)] [-usnip (ON | OFF)] [-proxyIP <ip_addr > ipv6_addr>]
  • show inat [<name>]

Example:

> add inat ip4-ip4 172.16.1.2 192.168.1.1 -proxyip 10.102.29.171
 Done

To modify an INAT entry by using the CLI:

To modify an INAT entry, type the **set inat **command, the name of the entry, and the parameters to be changed, with their new values.

To remove an INAT configuration by using the CLI:

At the command prompt, type:

  • rm inat <name>

Example:

> rm inat ip4-ip4
 Done

GUI procedures

To configure an INAT entry by using the GUI:

Navigate to System > Network > Routes > INAT, and add an INAT entry or edit an existing INAT entry.

To remove an INAT configuration by using the GUI:

Navigate to System > Network > Routes > INAT, delete the INAT configuration.

Connection failover for INAT rules

Connection failover or connection mirroring enables the primary node to duplicate connection and persistence information to the secondary node in a high availability. The state information of the connection is shared with the secondary node regularly when connection mirroring is enabled.

Enabling connection failover provides more reliability but it comes at the cost of some system time being used up for sharing the state information. The connection data is synchronized to the standby unit with every packet or flow state update. Hence, it must be used only at places where connection level reliability is of prime importance.

Citrix ADC appliance high availability setups support connection failover for INAT connections. The primary node sends INAT mappings and other INAT related connection information to the secondary node at regular intervals. The secondary appliance uses the mapping and connection information only in the event of a failover.

When a failover occurs, the new primary node has information about the INAT connections established before the failover. Hence, it continues to serve those connections even after the failover.

From the client’s perspective the failover is transparent. During the transition period, the client and server might experience a brief disruption and retransmissions. Connection failover can be enabled per INAT rule.

For enabling connection failover on an INAT rule, you enable the connFailover parameter of that specific RNAT rule by using CLI.

CLI procedure

To enable connection failover for an INAT rule by using the CLI:

To enable connection failover while adding an INAT rule, at the command prompt, type:

  • add inat <name> <publicIP> <privateIP> [-tcpproxy (ENABLED | DISABLED)] [-ftp ( ENABLED | DISABLED)] [-usip (ON | OFF)] [-usnip (ON | OFF)] [-proxyIP <ip_addr|ipv6_addr>] -connfailover (ENABLED | DISABLED)

  • show inat <name>

To enable connection failover while modifying an existing INAT rule, at the command prompt, type:

  • set inat -connfailover (ENABLED DISABLED)
  • show inat <name>

Inbound Network Address Translation