L3 NAT
Network Address Translation(NAT) implement
ConfigXML
Set TCP/UDP flow inactive timeout to 15 minutes
<configSet reboot="no">
<log>
<netflow>
<inactive_timeout>900</inactive_timeout>
</netflow>
</log>
</configSet>NAT
inner: P6 10.10.1.1 10.10.1.0/24
outer: P7 192.168.1.151 gateway: 192.168.1.1
<run>
<action>
<port>P6</port>
<ip>10.10.1.1</ip>
<arp_reply_default_mac/>
<icmp_reply/>
</action>
<action>
<port>P7</port>
<ip>192.168.1.151</ip>
<arp_reply_default_mac/>
<icmp_reply/>
</action>
<filter id="1" sessionBase="no">
<or>
<find name="ip.src" relation="==" content="10.10.1.0/24"/>
</or>
</filter>
<filter id="2" sessionBase="no">
<or>
<find name="ip.dst" relation="==" content="192.168.1.151"/>
</or>
</filter>
<output id="6" arp_srcip="10.10.1.1" arp_dstip_mac="yes">
<port>P6</port>
<modify_src_default_mac/>
<modify_dstip2nat/>
</output>
<output id="7">
<port>P7</port>
<modify_src_default_mac/>
<modify_srcip nat="yes">192.168.1.151</modify_srcip>
<gateway>192.168.1.1</gateway>
</output>
<chain>
<in>P6</in>
<fid>F1</fid>
<out>O7</out>
</chain>
<chain>
<in>P7</in>
<fid>F2</fid>
<out>O6</out>
</chain>
</run>NAT and set mtu 1480
inner: P6 10.10.1.1 10.10.1.0/24
outer: P7 192.168.1.151 gateway: 192.168.1.1
<run>
<action>
<port>P6</port>
<ip>10.10.1.1</ip>
<arp_reply_default_mac/>
<icmp_reply/>
</action>
<action>
<port>P7</port>
<ip>192.168.1.151</ip>
<arp_reply_default_mac/>
<icmp_reply/>
<icmp_reply_fragment_need mtu="1480"/>
</action>
<filter id="1" sessionBase="no">
<or>
<find name="ip.src" relation="==" content="10.10.1.0/24"/>
</or>
</filter>
<filter id="2" sessionBase="no">
<or>
<find name="ip.dst" relation="==" content="192.168.1.151"/>
</or>
</filter>
<output id="6" arp_srcip="10.10.1.1" arp_dstip_mac="yes">
<port>P6</port>
<modify_src_default_mac/>
<modify_dstip2nat/>
</output>
<output id="7">
<port>P7</port>
<modify_src_default_mac/>
<modify_srcip nat="yes">192.168.1.151</modify_srcip>
<gateway>192.168.1.1</gateway>
</output>
<chain>
<in>P6</in>
<fid>F1</fid>
<out>O7</out>
</chain>
<chain>
<in>P7</in>
<fid>F2</fid>
<out>O6</out>
</chain>
</run>NAT breakout dns traffic
inner: P6
outer: P7
dns breakout outer: P5 172.16.10.10 gateway: 192.16.10.1
<run>
<action>
<port>P5</port>
<ip>172.16.10.10</ip>
<arp_reply_default_mac/>
<icmp_reply/>
</action>
<filter id="99" alt="dns query" sessionBase="no">
<or>
<find name="udp.port" relation="==" content="53"/>
</or>
</filter>
<output id="5">
<port>P5</port>
<modify_src_default_mac/>
<modify_srcip nat="yes">172.16.10.10</modify_srcip>
<gateway>172.16.10.1</gateway>
</output>
<output id="6" arp_dstip_mac="yes">
<port>P6</port>
<modify_src_default_mac/>
<modify_dstip2nat/>
</output>
<chain>
<in>P6</in>
<fid type="and">F99</fid>
<out>O5</out>
<next type="notmatch">
<out>P7</out>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
<chain>
<in>P5</in>
<out>O6</out>
</chain>
</run>Last updated