Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add and Deploy NAT Policies

CSO supports source NAT, destination NAT, and static NAT. In addition, CSO supports persistent NAT depending on the type of source and destination address. In addition, during the addition of an SD-WAN on-premise spoke site and an enterprise hub site, you can trigger the automatic creation of source NAT rules for local breakout traffic. For more information about NAT in CSO, see NAT Policies Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

To add and deploy a NAT policy:

  1. Add the source NAT policy:
    1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears.

    2. Click the Add (+) icon.

      The Add NAT Policy page appears.

    3. Configure the NAT policy according to the guidelines in Table 1.
      Note:

      Fields marked with an asterisk (*) are mandatory.

    4. Click OK.

      You are returned to the NAT Policies page. After the NAT policy is added, a confirmation message is displayed.

      After you add the NAT policy, you can add one or more rules.

  2. You can add three types of NAT rules in CSO: source NAT, static NAT, destination NAT.

    • To add a source NAT rule:

      Note:

      If you don’t have a separate NAT device in your network and want traffic to break out directly from either an enterprise hub or an on-premise spoke site, you must have a source NAT policy for the hub site or the on-premise spoke site.

      If you enabled the automatic creation of source NAT rules during the addition of the site, CSO automatically creates the source NAT rules.

      1. Click the name of that NAT policy that you added.

        The NAT-Policy-Name page appears.

      2. Click Create > Source.

        The fields to be configured appear inline on the page.

      3. Configure the source NAT rule according to the guidelines in Table 2.

        Note:

        Fields marked with an asterisk (*) are mandatory.

      4. Click Save.

        A confirmation message appears at the top of the page when the source NAT rule is added successfully. The Undeployed field is incremented by one indicating that intents are pending deployment.

    • To add a static NAT rule:

      1. Click the name of that NAT policy that you added.

        The NAT-Policy-Name page appears.

      2. Click Create > Static.

        The fields to be configured appear inline on the page.

      3. Configure the static NAT rule according to the guidelines in Table 4.

        Note:

        Fields marked with an asterisk (*) are mandatory.

      4. Click Save.

        A confirmation message appears at the top of the page when the static NAT rule is added successfully. The Undeployed field is incremented by one indicating that intents are pending deployment.

    • To add a destination NAT rule:

      1. Click the name of that NAT policy that you added.

        The NAT-Policy-Name page appears.

      2. Click Create > Destination.

        The fields to be configured appear inline on the page.

      3. Configure the destination NAT rule according to the guidelines in Table 6.

        Note:

        Fields marked with an asterisk (*) are mandatory.

      4. Click Save.

        A confirmation message appears at the top of the page when the destination NAT rule is added successfully. The Undeployed field is incremented by one indicating that intents are pending deployment.

    After adding the NAT rules, you must deploy the rules to the sites with which the NAT policy is associated.

  3. Click Deploy. (Alternatively, you can trigger the deployment from the NAT Policies page by selecting the policy and clicking Deploy).

    The Deploy page appears displaying the name of the policy to be deployed.

  4. From the Choose Deployment Time field, select:

    • Run now to deploy the policy immediately.

    • Schedule at a later time to schedule the deployment for later.

      If you schedule the deployment for later, enter the date (in MM/DD/YYYY format) and time (in HH:MM:SS 24-hour or AM/PM format) that you want the deployment to occur. You specify the time in the local time zone of the client from which you access the CSO GUI.

    You are returned to the previous page and a job to deploy the policy is triggered. You can check the status of the deployment on the Jobs page (Monitor > Jobs). When the job completes successfully, it means that the NAT policy was deployed.

Table 1: Add NAT Policy Settings

Field

Guideline

Name

Enter the name of NAT policy. The name can contain alphanumeric characters, colons, periods, hyphens, and underscores. No spaces are allowed and the maximum length is 255 characters.

Description

Enter a description for the NAT policy.

Manage Auto-Proxy ARP

Click the toggle button to enable or disable automatic proxy Address Resolution Protocol (ARP). This field is disabled by default.

Typically, when an interface receives an ARP request, it responds with its MAC address only then the ARP request corresponds to the interface’s IP address. However, when you enable this field, the interface also acts as a proxy and responds to ARP requests for IP addresses other than its own.

Note:

Proxy ARP management applies to translated addresses in a source NAT rule or to a destination address in a destination NAT rule:

  • When you add a source NAT rule with pool-based translation, the address pool assigned must be in the same subnet as the outgoing interface selected.

  • When you add a destination NAT rule, the external WAN interface can be a proxy for another IP address in the same subnet as the original IP address of the interface.

Sites Applied On

Select the sites on which you want to apply the NAT policy and click the right arrow (>).

Sequence No.

Click Select Policy Sequence link if you want to reorder this NAT policy among the existing NAT policies. If you deploy more than one NAT policy on a site, the policy sequence number determines the order in which the policies (and therefore the NAT rules) are deployed.

The Select Policy Sequence page appears, displaying all NAT policies. Select the policy you want to reorder and click Move Policy Up or Move Policy Down to reorder your NAT policy among the existing policies.
Table 2: Add Source NAT Rule

Field

Guideline

Name

You can use the default name (that CSO generates automatically) for the NAT rule or enter a unique name.

Description

Enter a description for the NAT rule.

Source

Specify one or more of the following source endpoints:

  • Address

  • Port: To specify a port, type Port and press Tab, enter the port number, and press Enter.

  • Zone

  • Routing instance

  • Protocols

  • Interface

  • VRF Group

Note:

You must specify at least one zone, interface, or VRF group as a source endpoint and specify at least one address for the source or destination endpoints.

Destination

Specify one or more of the following destination endpoints:

  • Address

  • Service

  • Zone

  • Routing instance

  • Protocols

  • Interface

  • VRF Group

Note:

You must specify at least one zone, interface, or VRF group as a destination endpoint and specify at least one address for the source or destination endpoints.

Translation

Select the type of translation to apply to the traffic:

  • None—Don’t perform any translation.

  • Interface—Perform interface-based translation.

  • Pool—Perform pool-based translation. If you select this option, you must specify an address pool by clicking inside the text box adjacent to the list and selecting a NAT pool.

[Advanced Settings]

If you selected interface or pool as the translation type, you can specify additional settings by clicking the gear icon. The Advanced Settings page appears. See Table 3for an explanation of the fields.
Table 3: Advance Settings for Source NAT Rule

Field

Description

Translation Type

Persistent

Click the toggle button to enable persistence, which ensures that all requests from the same internal transport address are mapped to the same reflexive transport address.

Note:

For persistence to be applicable for the NAT policy, ensure that port overloading is turned off for the device to which the NAT policy is applicable. Use the following command to turn off port overloading for a device:

[Edit mode]
set security nat source interface port-overloading off

Interface

Pool

Persistent NAT Type

Select the type of persistent NAT mapping to use:

  • Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

  • Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

  • Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.

Interface

Pool

Inactivity Timeout

Enter the period (in seconds) for which the persistent NAT binding remains in the device’s memory when all the sessions of the binding entry have ended. When the configured timeout is reached, the binding is removed from memory.

Range: 60 through 7,200 seconds.

Default: 60 seconds.

Interface

Pool

Maximum Session Number

Enter the maximum number of sessions with which a persistent NAT binding can be associated.

For example, if the maximum session number of the persistent NAT rule is 2000, then a 2001st session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule.

Range: 8 through 65,536

Interface

Pool

Address Mapping

Allows requests from a specific internal IP address to be mapped to the same reflexive IP address (the public IP address created by the NAT device closest to the STUN server); internal and external ports can be any ports. An external host using any port can send a packet to the internal host by sending the packet to the reflexive IP address (with a configured incoming policy that allows external to internal traffic).

If this option is not configured, the persistent NAT binding is for specific internal and reflexive transport addresses.

Pool

Pool Address

Displays the name of the NAT pool that you previously added. You cannot modify this field.

Pool

Host Address Base

Displays the base address of the original source IP address range for the NAT pool that you previously added. The host address base is used for IP address shifting.

You cannot modify this field.

Pool

Port Translation

Displays whether port translation is enabled or disabled for the NAT pool that you previously added.

You cannot modify this field.

Pool

Overflow Pool Type

Displays the source pool to be used when the address pool is exhausted.

You cannot modify this field.

Pool

Overflow Pool Name

Displays the name of the overflow pool.

You cannot modify this field.

Pool
Table 4: Add Static NAT Rule

Field

Guideline

Name

You can use the default name (that CSO generates automatically) for the NAT rule or enter a unique name.

Description

Enter a description for the NAT rule.

Source

Specify one or more of the following source endpoints:

  • Address

  • Zone

  • Routing instance

  • Interface

  • VRF Group

Note:

You must specify at least one zone, interface, or VRF group as a source endpoint.

Destination

Specify one or more of the following destination endpoints:

  • Address

    Note:

    You must specify at least one address as a destination endpoint.

  • Port: To specify a port, type Port and press Tab, enter the port number, and press Enter.

Translation

Select the type of translation to apply to the traffic:

  • Address—Perform address-based translations on the source or destination packet. If you choose this option, click inside the text box to specify the translation address.

  • Corresponding IPv4—Perform translation using the corresponding IPv4 address.

[Advanced Settings]

You can specify additional settings by clicking the gear icon. The Advanced Settings page appears. See Table 5 for an explanation of the fields.
Table 5: Advance Settings for Static NAT Rule

Field

Description

Translation Type

Mapped Port Type

Specify the type of port mapping to use:

  • Any—Allow any port with the translated address.

  • Port—Map to the port specified in the Port field.

  • Range—Map to the port range specified in the Start and End fields.

Address

Routing Instance

Select the routing instance to use for NAT or select None not to use a routing instance.

Note:

If you’re configuring the NAT policy for a site with SD-WAN capability, then you must select the routing instance corresponding to the translation address

Address

Overlapping IPv4 Address

Port

Enter the port number to be used for port mapping.

Range: 0 through 65,535.

Address

Start

Enter the starting port number of the port range to be used for port mapping.

Range: 0 through 65,535.

Address

End

Enter the ending port number of the port range to be used for port mapping.

Range: 0 through 65,535.

Address
Table 6: Add Destination NAT Rule

Field

Guideline

Name

You can use the default name (that CSO generates automatically) for the NAT rule or enter a unique name.

Description

Enter a description for the NAT rule.

Source

Specify one or more of the following source endpoints:

  • Address

  • Zone

  • Routing instance

  • Interface

  • VRF Group

Note:

You must specify at least one zone, interface, or VRF group as a source endpoint.

Destination

Specify one or more of the following destination endpoints:

  • Address

    Note:

    You must specify at least one address as a destination endpoint.

  • Port: To specify a port, type Port and press Tab, enter the port number, and press Enter.

  • Service

Note:

When you add a destination NAT rule for traffic arriving on an interface that terminates a VPN link, the translation process might break the VPN link if the destination addressis specified only as the WAN-facing IP address of the interface.

For example, in the following NAT rule, any traffic destined to WAN IP address is translated to the destination pool, which breaks the functionality of the VPN link packets terminating on the interface.

[Any.Address] --> [Wan.IP] :: [Dest-Pool-1]

Therefore, we recommend that you specify both the address and port number as the destination endpoint:

[Any.Address] --> [Wan.IP + Port] :: [Dest-Pool-1]

Translation

Select the type of translation to apply to the traffic:

  • None—Don’t apply translation.

  • Pool—Perform pool-based translation. If you choose this option, click inside the text box and specify the NAT pool to use.

Note:

For sites with SD-WAN capability, the destination NAT pool selected must be configured with a site and a routing instance corresponding to the pool address.

For example, if a webserver with IP address IP-Addr-1 is running in the HR department of a site called Site-A. To add a destination NAT pool corresponding to this webserver IP address, you must specify the following mandatory fields while adding the NAT pool:

  • Address—IP-Addr-1.

  • Site: Site-A.

  • Routing Instance: natVR_HR.

See CSO Next-Generation Firewall (NFGW) Deployment Workflow.