Citrix SD-WAN

Static NAT

Static NAT is a one-to-one mapping of a private IP address or subnet inside the SD-WAN network to a public IP address or subnet outside the SD-WAN network. Configure Static NAT by manually entering the inside IP address and the outside IP address to which it has to translate. You can configure Static NAT for the Local, Virtual Paths, Internet, Intranet, and Inter-routing domain services.

Inbound and Outbound NAT

The direction for a connection can either be inside to outside or outside to inside. When a NAT rule is created, it is applied to both the directions depending on the direction match type.

  • Inbound: The source address is translated for packets received on the service. The destination address is translated for packets transmitted on the service. For example, Internet service to LAN service – For packets received (Internet to LAN), the source IP address is translated. For packets transmitted (LAN to Internet), the destination IP address is translated.
  • Outbound: The destination address is translated for packets received on the service. The source address is translated for packets transmitted on the service. For example, LAN service to Internet service – for packets transmitted (LAN to Internet) the source IP address is translated. For packets received (Internet to LAN) the destination IP address is translated.

Zone Derivation

The source and destination firewall zones for the inbound or outbound traffic should not be the same. If both the source and destination firewall zones are the same, NAT is not performed on the traffic.

For outbound NAT, the outside zone is automatically derived from the service. Every service on SD-WAN is associated to a zone by default. For example, Internet service on a trusted internet link is associated with the trusted internet zone. Similarly, for an inbound NAT, the inside zone is derived from the service.

For a Virtual path service NAT zone derivation does not happen automatically, you have to manually enter the inside and outside zone. NAT is performed on traffic belonging to these zones only. Zones cannot be derived for virtual paths because there might be multiple zones within the Virtual path subnets.

Configure Static NAT Policies

To configure Static NAT policies, in the Configuration Editor, navigate to Connections > Firewall > Static NAT Policies.

Configure static NAT

  • Priority: The order in which the policy will be applied within all the defined policies. Lower priority policies are applied before higher priority policies.
  • Direction: The direction in which the traffic is flowing, from the perspective of the virtual interface or service. It can either be inbound or outbound traffic.
  • Service Type: The SD-WAN service types on which the NAT policy is applied. For static NAT, the service types supported are Local, Virtual Paths, Internet, Intranet, and Inter-routing domain services
  • Service Name: Select a configured service name that corresponds to the Service Type.
  • Inside Zone: The Inside firewall zone match-type that the packet must be from to allow translation.
  • Outside Zone: The outside firewall zone match-type that the packet must be from to allow translation.
  • Inside IP address: The inside IP address and prefix that has to be translated to if the match criteria is met.
  • Outside IP address: The outside IP address and prefix that the inside IP address is translated to if the match criteria is met.
  • Bind Responder Route: Ensures that the response traffic is sent over the same service that it is received on, to avoid asymmetric routing.
  • Proxy ARP: Ensures that the appliance responds to local ARP requests for the outside IP address.

Monitoring

To monitor NAT, navigate to Monitoring > Firewall Statistics > Connections. For a connection you can see if NAT is done or not.

Connections

To further see the inside IP address to outside IP address mapping, click Post-Route NAT under Related Objects or navigate to Monitoring > Firewall Statistics > NAT policies.

NAT policies

Logs

You can view logs related to NAT in firewall logs. To view logs for NAT, create a firewall policy that matches your NAT policy and ensure that logging is enabled on the firewall filter.

Logging options

Navigate to Logging/Monitoring > Log Options, select SDWAN_firewal.log, and click View Log.

View logs

The NAT connection details are displayed in the log file.

NAT log details

Static NAT