Dynamic NAT is a many-to-one mapping of a private IP address or subnets inside the SD-WAN network to a public IP address or subnet outside the SD-WAN network. The traffic from different zones and subnets over trusted (inside) IP addresses in the LAN segment is sent over a single public (outside) IP address.
Dynamic NAT types
Dynamic NAT does Port Address Translation (PAT) along with IP address translation. Port numbers are used to distinguish which traffic belongs to which IP address. A single public IP address is used for all internal private IP addresses, but a different port number is assigned to each private IP address. PAT is a cost effective way to allow multiple hosts to connect to the Internet using a single Public IP address.
- Port Restricted: Port Restricted NAT uses the same outside port for all translations related to an Inside IP Address and Port pair. This mode is typically used to allow Internet P2P applications.
- Symmetric: Symmetric NAT uses the same outside port for all translations related to an Inside IP Address, Inside Port, Outside IP Address, and Outside Port tuple. This mode is typically used to enhance security or expand the maximum number of NAT sessions.
Inbound and Outbound NAT
The direction for a connection can either be inside to outside or outside to inside. When a NAT rule is created, it is applied to both the directions depending on the direction match type.
- Outbound: The destination address is translated for packets received on the service. The source address is translated for packets transmitted on the service. Outbound dynamic NAT is supported on Local, Internet, Intranet, and Inter-routing domain services. For WAN services such as Internet and Intranet services, the configured WAN link IP address is dynamically chosen as the outside IP address. For Local and Inter-routing domain services, provide an outside IP address. The Outside zone is derived from the selected service. A typical use case of outbound dynamic NAT is to simultaneously allow multiple users in your LAN to securely access the internet using a single Public IP address.
- Inbound: The source address is translated for packets received on the service. The destination address is translated for packets transmitted on the service. Inbound dynamic NAT is not supported on WAN services such as Internet and Intranet. There is an explicit audit error to indicate the same. Inbound dynamic NAT is supported on Local and Inter-routing domain services only. Provide an outside zone and outside IP address to be translated to. A typical use case for inbound dynamic NAT is to allow external users access email or web servers hosted in your private network.
Configure Dynamic NAT Policies
To configure Dynamic NAT policies, in the Configuration Editor, navigate to Connections > Firewall > Dynamic NAT Policies.
- Priority: The order the policy is applied within all the defined policies. Lower priority policies are applied before higher priority policies.
- Direction: The direction in which the traffic is flowing, from the perspective of the virtual interface or service. It can either be inbound or outbound traffic.
- Type: The type of dynamic NAT to perform, Port-restricted, or Symmetric.
- Service Type: The SD-WAN service types on which the dynamic NAT policy is applied. Inbound dynamic NAT is supported on Local and Inter-routing domain services. Outbound dynamic NAT is supported on Local, Internet, Intranet, and Inter-routing domain services
- Service Name: Select a configured service name that corresponds to the Service Type.
- Inside Zone: The Inside firewall zone match-type that the packet must be from to allow translation.
- Outside Zone: For inbound traffic, specify the outside firewall zone match-type that the packet must be from to allow translation.
- Inside IP address: The inside IP address and prefix that has to be translated to if the match criteria is met. Enter ‘*’ to indicate any inside IP address.
- Outside IP address: The outside IP address and prefix that the inside IP address is translated to if the match criteria is met. For outbound traffic using Internet and Intranet services, the configured WAN link IP address is dynamically chosen as the outside IP address.
- Allow Related: Allow traffic related to the flow matching the rule. For example, ICMP redirection related to the specific flow that matched the policy, if there was some type of error related to the flow.
- IPsec Pass through: Allow an IPsec (AH/ESP) session to be translated.
- GRE/PPTP Pass through: Allow a GRE/PPTP session to be translated.
- Port Parity: If enabled, outside ports for NAT connections maintain parity (even if inside port is even, odd if outside port is odd).
- Bind Responder Route: Ensures that the response traffic is sent over the same service that it is received on, to avoid asymmetric routing.
Dynamic NAT with port forwarding allows you to port forward specific traffic to a defined IP address. This is typically used for inside hosts like web servers. Once the dynamic NAT is configured you can define the port forwarding policies. Configure dynamic NAT for IP address translation and define the port forwarding policy to map an outside port to an inside port. Dynamic NAT port forwarding is typically used to allow remote hosts to connect to a host or server on your private network. For a more detailed use case see, Citrix SD-WAN Dynamic NAT explained.
- Protocol: TCP, UDP, or both.
- Outside Port: The Outside port that is port forward into the inside port.
- Inside IP address: The inside address to forward matching packets.
- Inside Port: The Inside port that the outside port will be port forwarded into.
- Fragments: Allow the forwarding of fragmented packets.
- Log Interval: Time in second between logging the number of packets matching the policy to a syslog server. The default log interval value of 0 means no logging.
- Log Start: If selected, a new log entry is created for the new flow.
- Log End: Log the data for a flow when the flow is deleted.
- Track: Bidirectional connection state tracking is performed on TCP, UDP, and ICMP packets matching the Rule. This feature blocks flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation. The state details are displayed under Monitoring > Firewall > Connections.
- No Tracking: Bidirectional connection state tracking is not performed on packets matching the Rule.
Every port forwarding rule has a parent NAT rule. The outside IP address is taken from the parent NAT rule.
Auto-created Dynamic NAT policies
Dynamic NAT policies for the Internet service are auto created in the following cases:
- Configuring internet service on an untrusted interface (WAN link).
- Enabling internet access for all routing domains on a single WAN link. For more details, see Configure firewall segmentation.
- Configuring DNS forwarders or DNS proxy on SD-WAN. For more details, see Domain name system.
To monitor dynamic NAT, navigate to Monitoring > Firewall Statistics > Connections. For a connection you can see if NAT is done or not.
To further see the inside IP address to outside IP address mapping, click Pre-Route NAT or Post-route NAT under Related Objects or navigate to Monitoring > Firewall Statistics > NAT policies.
The following screenshot shows the statistics for the Dynamic NAT rule of type symmetric and its corresponding port forwarding rule.
When a port forwarding rule is created a corresponding firewall rule is also created.
You can see the filter policy statistics by navigating to Monitoring > Firewall Statistics > Filter Policies.
You can view logs related to NAT in firewall logs. To view logs for NAT, create a firewall policy that matches your NAT policy and ensure that logging is enabled on the firewall filter. NAT logs contain the following information:
- Date and time
- Routing domain
- IP protocol
- Source port
- Source IP address
- Translated IP address
- Translated port
- Destination IP address
- Destination port
To generate NAT logs, navigate to Logging/Monitoring > Log Options, select SDWAN_firewall.log, and click View Log.
The NAT connection details are displayed in the log file.