Wired Networks

How to configure NAT Pool configuration on MAS 7.4 code.

Aruba Employee

Currently MAS supports NAT which uses the IP address of the switch. Adding NAT pools gives the flexibility to support source NAT and dual NAT without using the switch IP.


 The customer has a specific use case to support trusted servers behind MAS and protect the private IPs of the servers behind the MAS. To perform NAT action, the packet has to be processed in slow path.


 As a result, NAT pools are associated with session ACLs. As of Release 7.3.0.0, session ACLs could be associated only with user-roles.


To support for session ACLs on trusted users and for allowing trusted users to communicate and also be able to ping the NAT IP from outside, the application of session ACL on RVI has been introduced.

 

  • NAT action is supported in Session ACL
  • NAT pool can be associated with src-nat and dual-nat option.
  • Session ACL with NAT pool applied to Ingress RVI
  • Session ACL with destination NAT rule applied to Egress RVI.
  • TRAP rule programmed in TCAM to trap packets requiring NAT action to software.
  • Case of 1:1 NAT mapping.

Configuring NAT pool for source NAT action
 
 
(MAS) (config) #ip nat ?
pool                    Configure NAT pool
 
(MAS) (config) #ip nat pool ?
STRING                  Pool name
 
(MAS) (config) #ip nat pool NAT_pool1 ?
A.B.C.D                 Start of source NAT range
 
(MAS) (config) #ip nat pool NAT_pool1 192.168.1.10 ?
A.B.C.D                 End of source NAT range
 
(MAS) (config) #ip nat pool NAT_pool1 192.168.1.10 192.168.1.10 ?
A.B.C.D                 destination NAT IP address
<cr>
 
(MAS) (config) #ip nat pool NAT_pool1 192.168.1.10 192.168.1.15
 

  • Configuring NAT pool for dual NAT action
  • Changes the source IP and destination IP of packet.

 
 

  • When a pool is configured with dual NAT option, both the source-ip and the destination IP of the packet is changed. For the reverse traffic to be entertained, the session ACL to destination nat the packets should be present on the Egress RVI.

 
 
(MAS) (config) #ip nat pool dual_nat_pool1 ?
A.B.C.D                 Start of source NAT range
(MAS) (config) #ip nat pool dual_nat_pool1 192.168.1.10 ?
A.B.C.D                 End of source NAT range
(MAS) (config) #ip nat pool dual_nat_pool1 192.168.1.10 192.168.1.15 ?
A.B.C.D                 destination NAT IP address
<cr>
(MAS) (config) #ip nat pool dual_nat_pool1 192.168.1.10 192.168.1.15 172.16.10.1
 
Configuration of session ACL  with NAT pool.
 
                                                                                Session ACL with srcl-nat pool
(MAS) (config) #ip access-list session POS-ACL
(MAS) (config-sess-POS-ACL)#host 192.168.5.10 any any src-nat ?
pool                    Use NAT pool
<cr>
 
(MAS) (config-sess-POS-ACL)#host 192.168.5.10 any any src-nat pool ?
STRING                  pool name
 
(MAS) (config-sess-POS-ACL)#host 192.168.5.10 any any src-nat pool NAT_pool1
                                                                                Session ACL with dual-nat pool
(MAS) (config) #ip access-list session DUAL-NAT-ACL
(MAS) (config-sess-DUAL-NAT-ACL)#network 192.168.1.0 255.255.255.0 any any  dual-nat pool dual_nat_pool1
                                                                               
                                                                                Session ACL with destination NAT rule
(MAS) # ip access-list session OUTSIDE-ACL
  any host 192.168.1.10 any  dst-nat ip 192.168.5.10 log
  any host 192.168.1.11 any  dst-nat ip 192.168.5.11 log
 
Ingress
----------
 
(MAS) (config) #interface vlan 100
(MAS) (vlan "100") #ip access-group session POS-ACL
(MAS) (vlan "100") #
(MAS) #show interface-config vlan 100
 
vlan "100"
----------
Parameter                   Value
---------                   -----
Interface OSPF profile      N/A
Interface PIM profile       N/A
Interface IGMP profile      N/A
Directed Broadcast Enabled  Disabled
Interface shutdown          Disabled
mtu                         1500
IP Address                  192.168.5.1/255.255.255.0
IP NAT Inside               Disabled
IPv6 Address                N/A
IPv6 link local Address     N/A
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Session ACL                                  POS-ACL
Interface description       N/A
 
Egress
---------
 
(MAS) (config) #interface vlan 200
(MAS) (vlan "200") #ip access-group session OUTSIDE-ACL
(MAS) (vlan "200") #
 
(MAS) #show interface-config vlan 200
 
vlan "200"
----------
Parameter                   Value
---------                   -----
Interface OSPF profile      N/A
Interface PIM profile       N/A
Interface IGMP profile      N/A
Directed Broadcast Enabled  Disabled
Interface shutdown          Disabled
mtu                         1500
IP Address                  192.168.1.1/255.255.255.0
IP NAT Inside               Disabled
IPv6 Address                N/A
IPv6 link local Address     N/A
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Session ACL                                  OUTSIDE-ACL
Interface description       N/A
 
 
 
(MAS) #show ip nat pool
NAT Pools
---------
Name            Start IP      End IP        DNAT IP      Flags
----            --------      ------        -------      -----
dual_nat_pool1  192.168.1.10  192.168.1.15  172.16.10.1  Static
NAT_pool1       192.168.1.10  192.168.1.15  0.0.0.0
 
 
(MAS) # show datapath session
 
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
Source IP/     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
Destination MAC
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----
192.168.5.10    192.168.1.20    17   8211  8218   0/0     0 0   0   1/0/0       5    0      0      FSI
192.168.1.20    192.168.1.10    17   8218  8211   0/0     0 0   0   1/0/0       5    0      0      FNCI
 
 
For 1:1 NAT
Have a NAT pool which does source NAT and associate that NAT pool with a session ACL.
Apply the session ACL on the RVI facing the private side.
Create a session ACL which will destination NAT the IP back to the desired host on private side.
Apply this session ACL on the RVI facing the public side.
 
For Many to 1 NAT

  • One can either use “ip nat inside” option which would change the source IP with the IP of the egressing RVI.
  • We can create a NAT pool with an IP that is different from switch IP. Apply session ACL with this nat pool on the private side and enable session processing on the public side. In this case the assumption is that traffic is initiated from private side. Also the reverse routes to reach the NATted IP should be present.

 
Example for 1:1 NAT :
(MAS) (config) #ip nat pool nat_pool1 50.1.1.1 50.1.1.1
(MAS) (config) #netdestination nd1
(MAS) (config-dest) #host 10.1.1.1
(MAS) (config) #netdestination nd2
(MAS) (config-dest) #host 20.1.1.20
(MAS) (config) #ip access-list session inside_acl
(MAS) (config-sess-inside_acl)#alias nd1 alias nd2 any src-nat pool nat_pool1
(MAS) (config) #interface vlan 100
(MAS) (vlan "100") #ip access-group session inside_acl
(MAS) (config) #ip access-list session outside_acl
(MAS) (config-sess-outside_acl)#alias nd2 host 50.1.1.1 any dst-nat ip 10.1.1.10
(MAS) (config) #interface vlan 200
(MAS) (vlan "200") #ip access-group session outside_acl
(MAS) (vlan "200") #!
(MAS) #show datapath session | include 20.1.1.20
10.1.1.10       20.1.1.20      1    58    2048   0/0     0 0   1   0/0/0       5    0      0      FSCI
20.1.1.20       50.1.1.1        1    58    0        0/0     0 0   1   0/0/0       5    0      0      FNI
Example for Many to 1 NAT :
(MAS) (config) #ip nat pool nat_pool1 50.1.1.1 50.1.1.10
(MAS) (config) #!
(MAS) (config) #netdestination nd1
(MAS) (config-dest) #network 10.1.1.0 255.255.255.0
(MAS) (config-dest) #!
(MAS) (config) #netdestination nd2
(MAS) (config-dest) #network 20.1.1.20 255.255.255.0
(MAS) (config-dest) #!
(MAS) (config) #ip access-list session inside_acl
(MAS) (config-sess-inside_acl)#alias nd1 alias nd2 any src-nat pool nat_pool1
(MAS) (config-sess-inside_acl)#!
(MAS) (config) #interface vlan 100
(MAS) (vlan "100") #ip access-group session inside_acl
(MAS) (vlan "100") #!
(MAS) (config) #interface vlan 200
(MAS) (vlan "200") #session-processing
(MAS) (vlan "200") #!
(MAS) #show datapath session
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index
 Source IP/     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
Destination MAC
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----
20.1.1.20       50.1.1.10       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.9        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.8        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.7        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.6        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.5        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.4        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.3        17   63    63     0/0     0 0   0   0/0/0       e    0      0      FNY
20.1.1.20       50.1.1.2        17   63    63     0/0     0 0   0   0/0/0       f    0      0      FNY
20.1.1.20       50.1.1.1        17   63    63     0/0     0 0   0   0/0/0       f    0      0      FNY
10.1.1.10       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       f    0      0      FSC
10.1.1.11       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       f    0      0      FSC
10.1.1.14       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.15       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.12       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.13       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.18       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.16       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.19       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC
10.1.1.17       20.1.1.20       17   63    63     0/0     0 0   0   0/0/0       e    0      0      FSC

  • The  “dynamic-srcnat” pool found on the controller is not supported on MAS.  IP NAT Outside can be used as an alternative.
  • If there is a session ACL with NAT pool on the RVI and also “ip nat inside” is enabled, then NAT action will be performed as per NAT pool in session ACL
  • The reason for user configurable NAT pools
  • We always start with pool id 1.
  • Pool # 61-63 are used by CP Firewall.
  • Pool #64 is reserved and is used by every session that requires translation while session creation involving NAT.
  • User is allowed to configure from 1 – 60 Among those one is always used by dynamic-srcnat.
  • As a result, the user configurable pools are only 59.

From the above config we could see NAT pool is configured on MAS 7.4 code.

 

Here are the commands to verify.

show ip nat pool
show datapath session
show interface vlan-config

 

 

Troubleshooting
-----------------------

The  “dynamic-srcnat” pool found on the controller is not supported on MAS.  IP NAT Outside can be used as an alternative.
If there is a session ACL with NAT pool on the RVI and also “ip nat inside” is enabled, then NAT action will be performed as per NAT pool in session ACL
Need to make sure interface config/nat pool config is on place

show ip nat pool, show datapath session are the useful commands for troubleshooting.

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 01:30 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.