Citrix SD-WAN Orchestrator

Network address translation

Network Address Translation (NAT) on the SD-WAN appliances translates the private IP addresses within your local branch or data center enterprise network to a single Public IP address. The public IP address is used for communication over the internet.

For more information about configuring NAT, see Network Address Translation.

To configure NAT for a site using the Citrix SD-WAN Orchestrator service, from site level, navigate to Configuration > Advanced Settings > NAT.

Configure NAT navigation

You can configure the following types of NAT:

  • Dynamic source NAT
  • Static NAT
  • Destination NAT

Dynamic source NAT

Dynamic Source NAT allows multiple hosts to have their source IP addresses translated to the same public IP address with different port numbers. Port restricted NAT uses the same outside port for all translations related to an Inside IP address and port pair. For more information, see Configure Dynamic NAT.

Dynamic source NAT detail

Static NAT

In Static NAT, a permanent 1–1 mapping between an internal private address and a public address is done. This type of NAT can be used for allowing traffic into a mail server or web server. For more information, see Configure Static NAT.

Static source NAT detail

Static NAT Policies for IPv6 Internet service

Citrix SD-WAN supports static NAT policies for IPv6 Internet service from release 11.4.0 onwards. A static NAT policy for IPv6 Internet service specifies the mapping of an inside network prefix to an outside network prefix. The number of static NAT policies required depends on the number of inside networks and the number of outside networks (WAN links). If there are M number of inside networks and N number of WAN links, then the number of static NAT policies required is M x N.

From Citrix SD-WAN release 11.4.0 onwards, while creating a static NAT policy, you can either enter the outside IP address manually or enable Auto Learn via PD. When Auto Learn via PD is enabled, the SD-WAN appliance receives delegated prefixes from the upstream delegating router through DHCPv6 Prefix Delegation. Before Citrix SD-WAN release 11.4.0, the outside IP address was derived from the service automatically and there was no option to enter the outside IP address manually. If you are upgrading an appliance to 11.4.0 or a later release and have static NAT policies configured for IPv6 Internet service, then you must manually update the policies.

Configuration example

In the following topology, the Citrix SD-WAN appliance is configured with 2 inside networks and 2 WAN links:

  • Inside network 1 resides in the CORPORATE routing domain with network prefix FD01:0203:6561::/64
  • Inside network 2 resides in the Wi-Fi routing domain with network prefix FD01:0203:1265::/64
  • Through WAN Link 1, the SD-WAN appliance receives from the upstream delegating router through DHCPv6 Prefix Delegation, 2 delegated prefixes 2001:0D88:1261::/64 and 2001:0D88:1265::/64. These 2 delegated prefixes are used as the outside network prefixes when the traffic from the inside networks transits WAN link 1.
  • Through WAN Link 2, the SD-WAN appliance receives from the upstream delegating router through DHCPv6 Prefix Delegation, 2 delegated prefixes 2001:DB8:8585::/64 and 2001:DB8:8599::/64. These 2 delegated prefixes are used as the outside network prefixes when the traffic from the inside networks transits WAN link 2.

Static source NAT NPT

In this scenario, there are M=2 inside networks and N=2 WAN links. Therefore, the number of static NAT policies required for proper deployment of IPv6 Internet service is 2 x 2 = 4. These 4 static NAT policies specify the address translation for:

  • Inside network 1 through WAN link 1
  • Inside network 1 through WAN link 2
  • Inside network 2 through WAN link 1
  • Inside network 2 through WAN link 2

To configure these static NAT policies, from site level, navigate to Configuration > Advanced Settings > NAT > Static Source NAT. Click +Static Source NAT.

While creating NAT policies, ensure that you select the Type as Internet and IP Address Type as IPv6. Select the WAN link and in the Inside IP/Prefix field, enter the inside network prefix (only /64 prefixes are allowed). In the Outside IP/Prefix field, you can either manually enter the outside network prefix or select the Auto Learn via PD check box.

The following is an example where the outside IP address is entered manually in the static NAT policy.

Static source NAT NPT manual config

If you select the Auto Learn via PD check box, ensure that the upstream router supports DHCPv6 Prefix Delegation. Citrix SD-WAN requests a prefix from the upstream delegating router and the delegating router responds with a prefix to Citrix SD-WAN. Citrix SD-WAN uses this delegated prefix to translate the inside IP address to the outside IP address.

The following is an example where Auto Learn via PD is enabled, so that the outside network prefix is obtained through DHCPv6 Prefix Delegation.

Static source NAT NPT auto learn through PD

Destination NAT

Destination NAT is performed on incoming packets when the SD-WAN appliance translates a public destination address to a private address. It also allows port forwarding.

Destination NAT detail

Network address translation