PDF(14.7 KB) View with Adobe Reader on a variety of devices
ePub(92.0 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(98.4 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 6, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the configuration to perform a static NAT from the service side VRF to the transport VRF on a Cisco IOS-XE SD-WAN Router.
Cisco IOS-XE SD-WAN devices on version 17.2.1 or later code must be used.
Cisco recommends that you have knowledge of these topics:
Cisco Software-Defined Wide Area Network (SD-WAN)
Network Address Translation (NAT)
The information in this document is based on these software and hardware versions.
C8000V version 17.6.3a
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
In order to configure the Service to Transport Static NAT described in this document, this topology is used.
This configuration can be performed through the router CLI or through a vManage CLI Add-On template.
NAT overload configuration is required
ip nat inside source list nat-dia-vpn-hop-access-list interface <WAN Interface> overload
Configure a static NAT statement
ip nat inside source static <inside local IP of server> <inside global IP of server> vrf <vrf server is in> egress-interface <WAN Interface>
Configure a route in Virtual Routing and Forwarding(VRF) routing traffic back to the global VRF for egress trafffic
ip nat route vrf <vrf of server> <inside global IP of server> 255.255.255.255 global
Enable NAT on the interface:
interface <WAN Interface>
ip nat outside
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1 overload ip nat inside source static 192.168.173.5 172.18.123.213 vrf 10 egress-interface GigabitEthernet1 ip nat route vrf 10 172.18.123.213 255.255.255.255 global interface GigabitEthernet1 ip nat outside
Once the configuration is completed, the functionality can be verified with the command show ip nat translations.
cEdge#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.18.123.213 192.168.173.5 --- ---
tcp 172.18.123.213:22 192.168.173.5:22 172.18.123.224:50708 172.18.123.224:50708
tcp 172.18.123.213:53496 192.168.173.5:53496 10.165.200.226:443 10.165.200.226:443
In the output above, it is seen that there are now successful NAT translations on the router. To test, an ssh session was performed to the PC itself from another device in the transport vrf.