Product Documentation

Configuring RNAT

Sep 01, 2016

In Reverse Network Address Translation (RNAT), the NetScaler appliance replaces the source IP addresses in the packets generated by the servers with public NAT IP addresses. By default, the appliance uses a Mapped IP address (MIP) as the NAT IP address. You can also configure the appliance to use a unique NAT IP address for each subnet. You can also configure RNAT by using Access Control Lists (ACLs). Use Source IP (USIP), Use Subnet IP (USNIP), and Link Load Balancing (LLB) modes affect the operation of RNAT. You can display statistics to monitor RNAT.

Note: The ephemeral port range for RNAT on the NetScaler appliance is 1024-65535.
You can use either a network address or an extended ACL as the condition for an RNAT entry:
  • Using a Network address. When you use a network address, RNAT processing is performed on all of the packets coming from the specified network.
  • Using Extended ACLs. When you use ACLs, RNAT processing is performed on all packets that match the ACLs. To configure the NetScaler appliance to use a unique IP address for traffic that matches an ACL, you must perform the following three tasks:
    1. Configure the ACL.
    2. Configure RNAT to change the source IP address and Destination Port.
    3. Apply the ACL.

    The following diagram illustrates RNAT configured with an ACL.

    Figure 1. RNAT with an ACL


You have the following basic choices for the type of NAT IP address:
  • Using a MIP or SNIP as the NAT IP Address. When using a MIP as the NAT IP address, the NetScaler appliance replaces the source IP addresses of server-generated packets with the a MIP. Therefore, the MIP address must be a public IP address. If Use Subnet IP (USNIP) mode is enabled, the NetScaler can use a subnet IP address (SNIP) as the NAT IP address.
  • Using a Unique IP Address as the NAT IP Address. When using a unique IP address as the NAT IP address, the NetScaler appliance replaces the source IP addresses of server-generated packets with the unique IP address specified. The unique IP address must be a public NetScaler-owned IP address. If multiple NAT IP addresses are configured for a subnet, NAT IP selection uses the round robin algorithm.

    This configuration is illustrated in the following diagram.

    Figure 2. Using a Unique IP Address as the NAT IP Address


Creating an RNAT Entry

Updated: 2013-08-28

The following instructions provide separate command-line procedures for creating RNAT entries that use different conditions and different types of NAT IP addresses. In the configuration utility, all of the variations can be configured in the same dialog box, so there is only one procedure for configuration utility users.

To create an RNAT entry by using the command line interface

At the command prompt, type one the following commands to create, respectively, an RNAT entry that uses a network address as the condition and a MIP or SNIP as the NAT IP address, an RNAT entry that uses a network address as the condition and a unique IP address as the NAT IP address, an RNAT entry that uses an ACL as the condition and a MIP or SNIP as the NAT IP address, or an RNAT entry that uses an ACL as a condition and a unique IP address as the NAT IP address:

  • set rnat <IPAddress> <netmask>
  • set rnat IPAddress <netMask> -natip <NATIPAddress>
  • set rnat <aclname> [-redirectPort <port>]
  • set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>

    Use the following command to verify the configuration:

  • show rnat

Examples

 
A network address as the condition and a MIP or SNIP as the NAT IP address: 
 
> set rnat 192.168.1.0 255.255.255.0 
 Done 
 
A network address as the condition and a unique IP address as the NAT IP address: 
 
> set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50 
 Done 
 
If instead of a single NAT IP address you specify a range, RNAT entries are created with all the NetScaler-owned IP addresses, except the NSIP, that fall within the range specified: 
 
> set rnat 192.168.1.0 255.255.255.0  -natIP 10.102.29.[50-110] 
 Done 
 
An ACL as the condition and a MIP or SNIP as the NAT IP address: 
 
> set rnat acl1  
 Done 
 
An ACL as a condition and a unique IP address as the NAT IP address: 
 
> set rnat acl1  -natIP 209.165.202.129 
Done 
 
If instead of a single NAT IP address you specify a range, RNAT entries are created with all the NetScaler-owned IP addresses, except the NSIP, that fall within the range specified: 
 
> set rnat acl1  -natIP 10.102.29.[50-70] 
 Done 
 

To create an RNAT entry by using the configuration utility

  1. Navigate to System > Network > Routes > RNAT.
  2. In the Action list, select Configure RNAT.

Monitoring RNAT

Updated: 2013-09-27

You can display RNAT statistics to troubleshoot issues related to IP address translation.

To view RNAT statistics by using the command line interface

At the command prompt, type:

stat rnat

Example

 
> stat rnat 
 
RNAT summary 
                               Rate (/s)            Total 
Bytes Received                   0                    0 
Bytes Sent                       0                    0 
Packets Received                 0                    0 
Packets Sent                     0                    0 
Syn Sent                         0                    0 
Current RNAT sessions           --                    0 
 Done 
> 

The following tables describes the statistics associated with RNAT and RNAT IP.

Table 1. RNAT Statistics
Statistic Description
Bytes received Bytes received during RNAT sessions
Bytes sent Bytes sent during RNAT sessions
Packets received Packets received during RNAT sessions
Packets sent Packets sent during RNAT sessions
Syn sent Requests for connections sent during RNAT sessions
Current sessions Currently active RNAT sessions

To monitor RNAT by using the configuration utility

Navigate to System > Network > Routes > RNAT, and click Statistics.

RNAT in USIP, USNIP, and LLB Modes

Updated: 2013-12-18

Before configuring a RNAT rule, consider the following points:
  • When RNAT and Use Source IP (USIP) are both configured on the NetScaler appliance, RNAT takes precedence. In other words, the source IP address of the packets, which matches a RNAT rule, is replaced according to the setting in the RNAT rule.
  • When RNAT and Use SNIP (USNIP) are configured on the NetScaler appliance, selection of the source IP address is based on the state of USNIP, as follows:
    • If USNIP is off, the NetScaler appliance uses the mapped IP addresses.
    • If USNIP is on, the NetScaler uses a SNIP address as the NAT IP address.

This behavior does not apply when a unique NAT IP address is used.

In a topology where the NetScaler appliance performs both Link Load Balancing (LLB) and RNAT for traffic originating from the server, the appliance selects the source IP address based on the router. The LLB configuration determines selection of the router. For more information about LLB, see "Link Load Balancing."

Configuring RNAT for IPv6 Traffic

Updated: 2013-10-31

Reverse Network Address Translation (RNAT) rules for IPv6 packets are called RNAT6s. When an IPv6 packet generated by a server matches the conditions specified in the RNAT6 rule, the appliance replaces the source IPv6 address of the IPv6 packet with a configured NAT IPv6 address before forwarding it to the destination. The NAT IPv6 address is one of the NetScaler owned SNIP6 or VIP6 addresses.

When configuring an RNAT6 rule, you can specify either an IPv6 prefix or an ACL6 as the condition:
  • Using a IPv6 network address. When you use an IPv6 prefix, the appliance performs RNAT processing on those IPv6 packets whose IPv6 address matches the prefix.
  • Using ACL6s. When you use an ACL6, the appliance performs RNAT processing on those IPv6 packets that match the conditions specified in the ACL6.

You have one of the following options to set the NAT IP address:

  • Specify a set of NetScaler owned SNIP6 and VIP6 addresses for an RNAT6 rule. The NetScaler appliance uses any one of the IPv6 addresses from this set as a NAT IP address for each session. The selection is based on the round robin algorithm and is done for each session.
  • Do not specify any NetScaler owned SNIP6 or VIP6 address for an RNAT6 rule. The NetScaler appliance uses any one of the NetScaler owned SNIP6 or VIP6 addresses as a NAT IP address. The selection is based on the next hop network to which an IPv6 packet that matches the RNAT rule is destined.

To create an RNAT6 rule by using the command line interface

At the command prompt, to create the rule and verify the configuration, type:
  • add rnat6 <name> (<network> | (<acl6name> [-redirectPort <port>]))
  • bind rnat6 <name> <natIP6>@ ...
  • show rnat6

To modify or remove an RNAT6 rule by using the command line interface

  • To modify an RNAT6 rule whose condition is an ACL6, type the set rnat6 <name> command, followed by a new value for the redirectPort parameter.
  • To remove an RNAT6 rule, type the clear rnat6 <name> command.
  • show rnat6

To configure an RNAT6 rule by using the configuration utility

Navigate to System > Network > Routes > RNAT6, and add a new RNAT6 rule, or edit an existing rule.

Logging Start Time and Connection Closure Reasons in RNAT Log Entries

For diagnosing or troubleshooting problems related to RNAT, the NetScaler appliance logs RNAT sessions whenever they are closed. 

A log message for an RNAT session consists of the following information:

  • NetScaler owned IP address (NSIP address or SNIP address) from which the log message is sourced
  • Time stamp of log creation
  • Protocol of the RNAT session
  • Source IP address
  • RNAT IP address
  • Destination IP address
  • Start time of the RNAT session
  • Closing time of the RNAT session
  • Total bytes sent by the NetScaler appliance for this RNAT session
  • Total bytes received by the NetScaler appliance for this RNAT session
  • Reason for closure of the RNAT session. The NetScaler appliance logs closure reason for TCP RNAT sessions that do not use the TCP proxy (TCP proxy disabled) of the appliance. The following are the type of closure reasons that are logged for TCP RNAT sessions: 
    • TCP FIN. The RNAT session was closed because of a TCP FIN sent by either the source or destination device.
    • TCP RST. The RNAT session was closed because of a TCP Reset that was sent by either the source or destination device.
    • TIMEOUT. The RNAT session timed out.

The following table shows some sample log entries for RNAT sessions.

Type of Entry Sample Log Entry

Sample log entry for UDP RNAT session

Dec 1 15:28:12 <local0.info> 10.102.53.114 12/01/2015:15:28:12 GMT  0-PPE-0 : default UDP NAT_OTHERCONN_DELINK 154 0 :  Source 1.2.2.5:23431 - Destination 192.168.123.122:22 - NatIP 192.168.123.1:4045 - Destination 192.168.123.122:22 - Start Time 12/01/2015:15:26:58 GMT - Delink Time 12/01/2015:15:28:12 GMT - Total_bytes_send 2511 - Total_bytes_recv 3725

Sample log entry for TCP RNAT session. The log entry shows that the session closed because of TCP Reset

Dec  1 15:29:59 <local0.info> 10.102.53.114 12/01/2015:15:27:59 GMT  0-PPE-0 : default TCP NAT_OTHERCONN_DELINK 152 0 :  Source 1.2.2.5:33826 - Destination 192.168.123.122:22 - NatIP 192.168.123.1:2384 - Destination 192.168.123.122:22 - Start Time 12/01/2015:15:27:40 GMT - Delink Time 12/01/2015:15:27:59 GMT - Total_bytes_send 2147 - Total_bytes_recv 3257 - Closure Reason TCP RST

Sample log entry for TCP RNAT session. The log entry shows that the session timed out

Dec  1 15:30:12 <local0.info> 10.102.53.114 12/01/2015:15:30:12 GMT  0-PPE-0 : default TCP NAT_OTHERCONN_DELINK 155 0 :  Source 1.2.2.5:64976 - Destination 192.168.123.115:22 - NatIP 192.168.123.1:19636 - Destination 192.168.123.115:22 - Start Time 12/01/2015:15:27:25 GMT - Delink Time 12/01/2015:15:30:12 GMT - Total_bytes_send 0 - Total_bytes_recv 0 - Closure Reason TIMEOUT