L3 NAT

Network Address Translation(NAT) implement

ConfigXML

Set TCP/UDP flow inactive timeout to 15 minutes

<configSet reboot="no">
    <log>
        <netflow>
            <inactive_timeout>900</inactive_timeout>
        </netflow>
    </log>
</configSet>

NAT

• inner: P6 10.10.1.1 10.10.1.0/24

• outer: P7 192.168.1.151 gateway: 192.168.1.1

<run>
    <action>
        <port>P6</port>
        <ip>10.10.1.1</ip>
        <arp_reply_default_mac/>
        <icmp_reply/>
    </action> 
    <action>
        <port>P7</port>
        <ip>192.168.1.151</ip>
        <arp_reply_default_mac/>
        <icmp_reply/>
    </action>
    <filter id="1" sessionBase="no">
        <or>
            <find name="ip.src" relation="==" content="10.10.1.0/24"/>
        </or>
    </filter>
    <filter id="2" sessionBase="no">
        <or>
            <find name="ip.dst" relation="==" content="192.168.1.151"/>
        </or>
    </filter>
    <output id="6" arp_srcip="10.10.1.1" arp_dstip_mac="yes">
        <port>P6</port>
        <modify_src_default_mac/>
        <modify_dstip2nat/>
    </output>
    <output id="7">
        <port>P7</port>
        <modify_src_default_mac/>
        <modify_srcip nat="yes">192.168.1.151</modify_srcip>
        <gateway>192.168.1.1</gateway>
    </output>
    <chain>
        <in>P6</in>
        <fid>F1</fid>
        <out>O7</out>
    </chain>
    <chain>
        <in>P7</in>   
        <fid>F2</fid>
        <out>O6</out>
    </chain>   
</run>

NAT and set mtu 1480

• inner: P6 10.10.1.1 10.10.1.0/24

• outer: P7 192.168.1.151 gateway: 192.168.1.1

<run>
    <action>
        <port>P6</port>
        <ip>10.10.1.1</ip>
        <arp_reply_default_mac/>
        <icmp_reply/>
    </action> 
    <action>
        <port>P7</port>
        <ip>192.168.1.151</ip>
        <arp_reply_default_mac/>
        <icmp_reply/>
        <icmp_reply_fragment_need mtu="1480"/>
    </action>
    <filter id="1" sessionBase="no">
        <or>
            <find name="ip.src" relation="==" content="10.10.1.0/24"/>
        </or>
    </filter>
    <filter id="2" sessionBase="no">
        <or>
            <find name="ip.dst" relation="==" content="192.168.1.151"/>
        </or>
    </filter>
    <output id="6" arp_srcip="10.10.1.1" arp_dstip_mac="yes">
        <port>P6</port>
        <modify_src_default_mac/>
        <modify_dstip2nat/>
    </output>
    <output id="7">
        <port>P7</port>
        <modify_src_default_mac/>
        <modify_srcip nat="yes">192.168.1.151</modify_srcip>
        <gateway>192.168.1.1</gateway>
    </output>
    <chain>
        <in>P6</in>
        <fid>F1</fid>
        <out>O7</out>
    </chain>
    <chain>
        <in>P7</in>   
        <fid>F2</fid>
        <out>O6</out>
    </chain>   
</run>

NAT breakout dns traffic

• inner: P6

• outer: P7

• dns breakout outer: P5 172.16.10.10 gateway: 192.16.10.1

<run>
    <action>
        <port>P5</port>
        <ip>172.16.10.10</ip>
        <arp_reply_default_mac/>
        <icmp_reply/>
    </action> 
    <filter id="99" alt="dns query" sessionBase="no">
        <or>
            <find name="udp.port" relation="==" content="53"/>
        </or>
    </filter> 
    <output id="5">
        <port>P5</port>
        <modify_src_default_mac/>
        <modify_srcip nat="yes">172.16.10.10</modify_srcip>
        <gateway>172.16.10.1</gateway>
    </output>
    <output id="6" arp_dstip_mac="yes">
        <port>P6</port>
        <modify_src_default_mac/>
        <modify_dstip2nat/>  
    </output>
    <chain>
        <in>P6</in>
        <fid type="and">F99</fid>
        <out>O5</out>
        <next type="notmatch">
            <out>P7</out>
        </next>
    </chain>
    <chain>
        <in>P7</in>
        <out>P6</out>
    </chain>
    <chain>
        <in>P5</in>  
        <out>O6</out>
    </chain>
</run>