Professional Documents
Culture Documents
Starting with Alteon version 30.5.2.0, a new Smart NAT feature has been introduced.
This feature is related to LinkProof NG, and introduces a new centralized NAT table to simplify the NAT
configuration.
NAT is mainly used to translate a local private IP address to a public IP address for Internet access (and vice
versa – public to private translation for access from the Internet to local resources).
LinkProof NG is deployed on the edge of a network, and is used for load balancing WAN links. As a result, NAT is
usually required on the LinkProof NG device.
The Smart NAT table can contain one of three NAT types:
This can be configured as the address/subnet, network class or Any (the Anykeyword is
relevant only for dynamic NAT).
WAN link – The WAN link associated with the NAT entry.
NAT address – The NAT address to which the local address is mapped:
As a result, Alteon selects the relevant NAT address for the local IP addresses based on the selected WAN link,
which makes it possible to choose different NAT addresses based on the chosen WAN link.
Configuration
Example 1:
If you have large local subnets that need Internet access, but within these subnets you have a few local addresses that
need static NAT, you do nott need to split the ranges. You can configure the large range for dynamic NAT, and then the
small range (or a few small ranges) for static NAT. Even though the local addresses in the small static NAT range are
within the large dynamic NAT range, they never match, and you have no risk of using the dynamic NAT address for the
local addresses that require static NAT. This is because Alteon first matches the static NAT, then when no match is found,
it tries to find a match on the dynamic NAT entries.
Example 2:
There a some servers on the DMZ that have public IP addresses and do not need NAT. In addition, there are a few large
ranges of user IP addresses that require dynamic NAT. To simplify the configuration, the user defines a dynamic NAT with
local address set to Any. This also containsthe servers on the DMZ, but the user can define no NAT entries for these
servers. Since no NAT is matched before dynamic NAT, these servers do not undergo NAT, and all other IP addresses
undergo dynamic NAT.
For Inbound Traffic:
. When a DNS request arrives at the Alteon DNS VIP, Alteon looks for the DNS name in the GSLB rules table. A
GSLB network is associated to the GSLB rule on which the local IP address is configured.
. When Alteon finds a match on the GSLB rule, it finds the GSLB network associated and within the GSLB
network it finds the local IP.
. Alteon then goes to the Smart NAT table and looks for the entries that contain the local IP address (only in
the static NAT and no NAT entries).
. If it finds a match, it returns the NAT address based on other parameter in the GSLB rule (number of resource
records, proximity and other metrics).
Currently, the Active/Backup response is not available (meaning, it responds only with one NAT address out of the
available WAN links).
. The user on the Internet initiates the application traffic to the NAT address which attempts to matches the
relevant static NAT or no NAT entry:
If it is static NAT, the destination IP address is replaced with the local IP address, and the source port remains
unchanged.
If it is no NAT, nothing is changed and the traffic is forwarded to the local IP address based on the routing
table.
Non TCP/UDP/ICMP Protocol Support
Smart NAT supports the following IP protocols (other than TCP/UDP/ICMP):
GRE
ESP
AH
When sending traffic using these protocols, static NAT can be used and only the IP address is replaced.
Note: AH does not work with static NAT (although the IP address is replaced) due to the nature of the protocol. A hash
is included within the protocol, and once the IP address is changed, the hash is also changed.
Therefore, the AH does not support static NAT (or any NAT at all) by design of the protocol.
The other two protocols (GRE and ESP) can support static NAT using the Smart NAT.
ESP can be also used with dynamic NAT, if used with NAT traversal (over UDP) on the VPN device.
High Availability
The NAT address in the Smart NAT table are High Availability (HA) entities.
When using HA, only the master Alteon responds to ARP requests for these NAT addresses.
Upon failover, GARP is sent for all NAT addresses.
You can use the command /oper/ip/garp to send GARP for a NAT address.
Mirroring occurs automatically (no configuration needed) for inbound traffic that reaches a Smart NAT
address.
For outbound traffic, mirroring has to be explicitly enabled on the outbound-llb filter.
Configuration sync fully syncs the Smart NAT configuration when enabled.