Scenario

Starting with Alteon version 30.5.2.0, a new Smart NAT feature has been introduced.
This feature is related to LinkProof NG, and introduces a new centralized NAT table to simplify the NAT
configuration.

NAT is mainly used to translate a local private IP address to a public IP address for Internet access (and vice
versa – public to private translation for access from the Internet to local resources).

LinkProof NG is deployed on the edge of a network, and is used for load balancing WAN links. As a result, NAT is
usually required on the LinkProof NG device.

The Smart NAT table can contain one of three NAT types:

Dynamic NAT – One-to-many:

Mainly used for user Internet access.

The source IP address is replaced with the dynamic NAT IP address, and the source port is
replaced with a new source port.
Static NAT – One-to-one:

Mainly used for access from the Internet to internal services.

The source IP address is replaced with the static NAT IP address, and the source port
remained unchanged.
Static NAT entries are bi-directional, meaning inbound traffic to the NAT address is
translated to the local IP address, and outbound traffic generated from the local IP address
is translated to public IP address.
No NAT – Used to declare that a specific local address is not NATted.

A Smart NAT entry consists of the following parameters:

Name – A descriptive name.

Type – The NAT type (dynamic|static|nonat).
IP version – The IP version.
Local address – The local (usually private) IP address to be NATted.

This can be configured as the address/subnet, network class or Any (the Anykeyword is
relevant only for dynamic NAT).
WAN link – The WAN link associated with the NAT entry.
NAT address – The NAT address to which the local address is mapped:

This can be configured as an address/subnet or network class.

If it is dynamic NAT, the number of NAT addresses can be less than the number of local
addresses.
If it is static NAT, the number of static NAT addresses must be identical to the number of
local addresses.
A one-to-one mapping is always performed in static NAT, meaning you can configure a
range of local IP addresses and a range of static NAT addresses, and the range must be
identical.
When identical, Alteon performs one to one mapping when NATting (the first IP address in
the local range is mapped to the first IP address in the NAT range, and so on).
Non-identical local/NAT ranges results in Apply failure.
Smart NAT is enabled by default (it can be disabled) and works as follows:

For Outbound Traffic:

. When an outbound-llb filter is configured and matched, a WAN link is selected.

. Alteon looks in the Smart NAT table for a match for the local IP + WAN link.

When performing the lookup, the following priority mechanism is used:

First, Alteon looks for a match in the no NAT entries.

If it does not find a match, it looks for a match in the static NAT entries.
If it does not find a match, it looks for a match in the dynamic NAT entries.
If it does not find a match, it falls back to PIP mode on the WAN link level.

As a result, Alteon selects the relevant NAT address for the local IP addresses based on the selected WAN link,
which makes it possible to choose different NAT addresses based on the chosen WAN link.

Configuration
Example 1:
If you have large local subnets that need Internet access, but within these subnets you have a few local addresses that
need static NAT, you do nott need to split the ranges. You can configure the large range for dynamic NAT, and then the
small range (or a few small ranges) for static NAT. Even though the local addresses in the small static NAT range are
within the large dynamic NAT range, they never match, and you have no risk of using the dynamic NAT address for the
local addresses that require static NAT. This is because Alteon first matches the static NAT, then when no match is found,
it tries to find a match on the dynamic NAT entries.
 
Example 2:
There a some servers on the DMZ that have public IP addresses and do not need NAT. In addition, there are a few large
ranges of user IP addresses that require dynamic NAT. To simplify the configuration, the user defines a dynamic NAT with
local address set to Any. This also containsthe servers on the DMZ, but the user can define no NAT entries for these
servers. Since no NAT is matched before dynamic NAT, these servers do not undergo NAT, and all other IP addresses
undergo dynamic NAT.
 
For Inbound Traffic:
 

. When a DNS request arrives at the Alteon DNS VIP, Alteon looks for the DNS name in the GSLB rules table. A
GSLB network is associated to the GSLB rule on which the local IP address is configured.
. When Alteon finds a match on the GSLB rule, it finds the GSLB network associated and within the GSLB
network it finds the local IP.
. Alteon then goes to the Smart NAT table and looks for the entries that contain the local IP address (only in
the static NAT and no NAT entries).
. If it finds a match, it returns the NAT address based on other parameter in the GSLB rule (number of resource
records, proximity and other metrics).

Currently, the Active/Backup response is not available (meaning, it responds only with one NAT address out of the
available WAN links).
 
 . The user on the Internet initiates the application traffic to the NAT address which attempts to matches the
relevant static NAT or no NAT entry:

If it is static NAT, the destination IP address is replaced with the local IP address, and the source port remains
unchanged.
If it is no NAT, nothing is changed and the traffic is forwarded to the local IP address based on the routing
table.

 
Non TCP/UDP/ICMP Protocol Support
 
Smart NAT supports the following IP protocols (other than TCP/UDP/ICMP):
 

GRE
ESP
AH

 
When sending traffic using these protocols, static NAT can be used and only the IP address is replaced.
 
Note: AH does not work with static NAT (although the IP address is replaced) due to the nature of the protocol. A hash
is included within the protocol, and once the IP address is changed, the hash is also changed.
Therefore, the AH does not support static NAT (or any NAT at all) by design of the protocol.
The other two protocols (GRE and ESP) can support static NAT using the Smart NAT.
ESP can be also used with dynamic NAT, if used with NAT traversal (over UDP) on the VPN device.
 
High Availability
 

The NAT address in the Smart NAT table are High Availability (HA) entities.
When using HA, only the master Alteon responds to ARP requests for these NAT addresses.
Upon failover, GARP is sent for all NAT addresses.
You can use the command /oper/ip/garp to send GARP for a NAT address.
Mirroring occurs automatically (no configuration needed) for inbound traffic that reaches a Smart NAT
address.
For outbound traffic, mirroring has to be explicitly enabled on the outbound-llb filter.
Configuration sync fully syncs the Smart NAT configuration when enabled.