SD-WAN

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

Thanks Ariya, do I need to turn on proxy local ARP if I want to use 1:1 NAT?

------------------------------
Kenneth Tan
------------------------------

Original Message:
Sent: Jan 21, 2021 05:11 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

not to the best of my knowledge. but first test it without it and see

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jan 21, 2021 05:16 PM
From: Kenneth Tan
Subject: VPNC for inbound NAT

Thanks Ariya, do I need to turn on proxy local ARP if I want to use 1:1 NAT?

------------------------------
Kenneth Tan

Original Message:
Sent: Jan 21, 2021 05:11 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

Hi Kenneth,

I have a branch gateway running in my home lab as my ISP router and have the need to forward some ports to internal resources. 
just check my blog post about it:

https://www.flomain.de/2020/01/port-forwarding-with-sd-branch/

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Jan 21, 2021 05:34 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

not to the best of my knowledge. but first test it without it and see

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 05:16 PM
From: Kenneth Tan
Subject: VPNC for inbound NAT

Thanks Ariya, do I need to turn on proxy local ARP if I want to use 1:1 NAT?

------------------------------
Kenneth Tan

Original Message:
Sent: Jan 21, 2021 05:11 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

If the public (it's not gateway interface IP) to private IP mapping is defined under Central - Devices - Gateway - Interface- Pool Management - Static 1:1 NAT, do I need need Dst-NAT in firewall policies, or just permit would do?

------------------------------
Kenneth Tan
------------------------------

Original Message:
Sent: Jan 23, 2021 07:11 AM
From: Florian Baaske
Subject: VPNC for inbound NAT

Hi Kenneth,

I have a branch gateway running in my home lab as my ISP router and have the need to forward some ports to internal resources. 
just check my blog post about it:

https://www.flomain.de/2020/01/port-forwarding-with-sd-branch/

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Jan 21, 2021 05:34 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

not to the best of my knowledge. but first test it without it and see

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 05:16 PM
From: Kenneth Tan
Subject: VPNC for inbound NAT

Thanks Ariya, do I need to turn on proxy local ARP if I want to use 1:1 NAT?

------------------------------
Kenneth Tan

Original Message:
Sent: Jan 21, 2021 05:11 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------

Just tested with 1:1 NAT defined, only permit is required in policies, dst-nat is no longer required.

------------------------------
Kenneth Tan
------------------------------

Original Message:
Sent: Jan 24, 2021 11:23 PM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If the public (it's not gateway interface IP) to private IP mapping is defined under Central - Devices - Gateway - Interface- Pool Management - Static 1:1 NAT, do I need need Dst-NAT in firewall policies, or just permit would do?

------------------------------
Kenneth Tan

Original Message:
Sent: Jan 23, 2021 07:11 AM
From: Florian Baaske
Subject: VPNC for inbound NAT

Hi Kenneth,

I have a branch gateway running in my home lab as my ISP router and have the need to forward some ports to internal resources. 
just check my blog post about it:

https://www.flomain.de/2020/01/port-forwarding-with-sd-branch/

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Jan 21, 2021 05:34 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

not to the best of my knowledge. but first test it without it and see

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 05:16 PM
From: Kenneth Tan
Subject: VPNC for inbound NAT

Thanks Ariya, do I need to turn on proxy local ARP if I want to use 1:1 NAT?

------------------------------
Kenneth Tan

Original Message:
Sent: Jan 21, 2021 05:11 PM
From: Ariya Parsamanesh
Subject: VPNC for inbound NAT

yes this is supported. obviously you need to have a separate pub IP address for that server that you want to do 1:1 NAT

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 21, 2021 12:00 AM
From: Kenneth Tan
Subject: VPNC for inbound NAT

If customer wanted to host a public accessible webserver behind the VPNC, I htink it will work if
1. using destination NAT policy - user hitting VPNC public IP on a particular port, this will be Dst-NAT to the webserver
2. have a public IP DMZ hosted by VPNC - user hit the public IP of the webserver, routed through and allowed in policy by the VPNC, the DMZ is just a separate internal network with public IP

I am not sure if VPNC can do inbound NAT like a typical Cisco/Juniper/etc firewall where a public IP is translated to private IP?

Thanks.

------------------------------
Kenneth Tan
------------------------------