SD-WAN

 View Only
last person joined: 2 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  NAT - Reach a Hosted Server

    Posted 01-21-2023 19:52
    Hello, 
    I have deployed an SSR in AWS and have some servers hosted behind the router. I am looking for some assistance configuring ingress NAT IP/port translation. My first attempt is trying to RDP from my office to a server behind the SSR - 

    Source = Office IP
    Destination = AWS Elastic IP:3389
    Translation to Server Private IP = 10.0.147.15:3389

    Here is the current config on the AWS SSR. Any assistance is appreciated. 

    config authority router ssr-aws-1 nat-pool prtg-rdp name prtg-rdp
    config authority router ssr-aws-1 nat-pool prtg-rdp address-pool 10.0.147.15/32 address 10.0.147.15/32

    config authority router ssr-aws-1 node node1 device-interface wan network-interface wan1 ingress-source-nat-pool prtg-rdp

    config authority router ssr-aws-1 service-route prtg-rdp name prtg-rdp
    config authority router ssr-aws-1 service-route prtg-rdp service-name prtg-rdp
    config authority router ssr-aws-1 service-route prtg-rdp nat-target 10.0.147.15

    config authority router ssr-aws-1 service-route prtg-rdp next-hop node1 lan1 node-name node1
    config authority router ssr-aws-1 service-route prtg-rdp next-hop node1 lan1 interface lan1
    config authority router ssr-aws-1 service-route prtg-rdp next-hop node1 lan1 source-nat-pool prtg-rdp

    config authority service prtg-rdp name prtg-rdp
    config authority service prtg-rdp security internal
    config authority service prtg-rdp transport tcp protocol tcp
    config authority service prtg-rdp transport tcp port-range 3389 start-port 3389
    config authority service prtg-rdp transport udp protocol udp
    config authority service prtg-rdp transport udp port-range 3389 start-port 3389
    config authority service prtg-rdp address 10.0.147.15
    config authority service prtg-rdp access-policy <mypublicIP> source <mypublicIP> 


    Thanks
    Ken

    ------------------------------
    Ken Pobst
    ------------------------------


  • 2.  RE: NAT - Reach a Hosted Server

    Posted 01-23-2023 13:33

    Hi Ken,

    It looks like your source NAT pool address is the same as the target NAT address for the application.  Those pool addresses are the source IPs that will be used for the NAT pool rather than destination.  You will need to choose pool addresses that reverse route back to the SSR from the workload.  Also note that AWS will filter source IPs that don't match the interface address unless source/dest check is disabled for the interface.


    It may be adequate to simply source NAT to the AWS interface address that is in the same subnet as the workload to avoid the need for AWS routes toward the SSR.  In this case, just enable source NAT on the interface toward the workload and remove the NAT pool configurations.  The only limitation is the number of ports available for traffic since only the interface address is used.

    Regards,
    Don



    ------------------------------
    Don Troshynski
    ------------------------------



  • 3.  RE: NAT - Reach a Hosted Server

    Posted 01-24-2023 09:32
    Hello Dan, 
    Thank you for the reply. I will update the NAT pool, and test. On your source NAT suggestion, if I'm understanding traffic going out the LAN interface would be NAT'd to the LAN interface IP on the same subnet as the server, so no routing is required in AWS. Without the NAT pool I am uncertain how to reach the LAN network from the Internet since the LAN and server are using private IPs. 

    Thank you again for your help, much appreciated. 


    Best regards, 
    Ken

    ------------------------------
    Ken Pobst
    ------------------------------