Environment : Tested with 220.127.116.11.
In order to protect private IPs of trusted servers behind MAS, traffic should be allowed to be initiated from either side. As of Release 18.104.22.168, session ACLs is supported on user-roles only. With Release 22.214.171.124, we will support session ACLs for trusted ports also.
- Session ACL and stateless Ingress ACL cannot co-exist on an RVI.
- Intended use of session ACL with NAT pools is for trusted ports. If there is a configuration of session ACL on RVI with untrusted ports, Session ACL on RVI takes precedence over user-role ACLs
- The “dynamic-srcnat” pool found on the controller is not supported on MAS.
- Maximum user defined NAT pools is 59
- NAT priority is;
i) User defined NAT via Session ACLs
- NAT pool can be associated with src-nat and dual-nat option.
- Session ACL with NAT pool applied to Ingress RVI
- Session ACL with destination NAT rule applied to Egress RVI.
- TRAP rule programmed in TCAM to trap packets requiring NAT action to software.
- Case of 1:1 NAT mapping.