Basic NAT – Single Enterprise on Versa SD-WAN

Network Address Translation (NAT) is the process of mapping IP addresses belonging to one address space into another.

A Basic NAT is one where a router has an inside (typically a LAN) interface and outside (Internet) interface. A one to one NAT maps an internal (inside) IP address towards an external (outside) IP address.

Versa Secure SD-WAN supports various types of NAT – Basic one to one NAT, One to many NAT (PAT), Twice basic NAT, Destination NAT and Dynamic NAT.

This article explains how to configure a Basic NAT (one to one) on Versa Operating System having a Single Tenant – i.e., no Parent-Child organization relationship as the case would be in a Service Provider environment.

High Level Topology

The topology here has a web server that is on a customer LAN environment that needs access to the Internet to download patches, updates, etc.

Versa Operating System when performing Basic NAT automatically creates a bi-directional NAT entry.



A. Define a CGNAT pool – the Outside IP address to which the Internal server address will be translated to while accessing the Internet
B. Create a CGNAT rule to match the source address of the internal machine and map it to the CGNAT pool and define the type of NAT.

Step 1: Create a CGNAT Pool
Step 2: Configure the Outside IP address of the NAT pool created above and choose the routing instance as 'INET-Transport-VR'
Step 3: In the 'Port' tab, do not choose any source or destination ports as this is not required for this use case. 
Click on 'Ok' to create the CGNAT pool. 
Step 4: Define a CGNAT rule name
Step 5: Match the IP address of the Internal Server that has to be Natted
Step 6: Define the type of NAT to be done. In this case choose 'basic-nat-44' and then select the Source NAT pool created earlier 'Ext_MS_Server_Patch_Update_IP'


The NAT translations can be verified on the CLI and monitor tabs. If logging is enabled for the NAT translations, the logs will be available on the Analytics under the CGNAT tab.

Here the source IP of the machine accessing the Internet is translated to the IP

admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief
                                                                                                                                                                                                                                          NAT                     NAT            NAT
VSN  VSN   SESS                               DESTINATION        SOURCE  DESTINATION                                                                                   NAT SOURCE   DESTINATION      SOURCE   DESTINATION
ID      VID    ID        SOURCE IP        IP                           PORT        PORT                PROTOCOL  NATTED  SDWAN  APPLICATION       IP                       IP                         PORT       PORT
0        2    514                   55107        53                      17                  Yes          No           dns                             55107     53
0        2    522      57961        443                    6                    Yes          No           akamai           57961     443
0        2    523      57962       443                     6                    Yes          No           akamai           57962     443
0        2    169        57712       443                     6                    Yes          No           http2                57712     443
0        2    358                    52404       53                      17                  Yes           No          dns                              52404      53
0        2    401        57871       443                    6                     Yes          No           http2               57871     443
0        2    515          57955       443                    6                     Yes          No           windowslive         57955     443
[ok][2019-07-05 12:34:30]

The bi-directional NAT sessions are also automatically formed.
Even though there was no prior NAT session from Inside to Outside, the Internet user is able to reach the user by referring to its outside IP So the Basic NAT automatically creates and Inbound NAT session.

admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief
                                                                                                                                                                                                                                              NAT                       NAT         NAT
VSN  VSN   SESS                                DESTINATION        SOURCE  DESTINATION                                                                                     NAT SOURCE   DESTINATION      SOURCE   DESTINATION
ID      VID    ID         SOURCE IP        IP                             PORT        PORT                PROTOCOL  NATTED  SDWAN  APPLICATION   IPIP                            PORT       PORT
0         2      13458       30498      30498               1                     Yes          No           icmp                30498      30498
[ok][2019-07-05 12:34:30]

Analytics logs show the NAT translation details.

Jul 15th 2020, 11:59:46 AM IST2020-07-15T06:29:46Z cgnatLog, tenant=twitter, flowDuration=0, postNAPTDestPort=443, postNAPTSrcPort=57961, destPort=443, natEvent=nat44-sess-create, srcPort=57961, natRuleName=Internal_MS_Server, destNatPoolName=-, destAddr=, rcvTimeSec=46, srcAddr=, protocolId=6, flowKey=0x5f0ea1ce01000200441f, postNATSrcAddr=, postNATDestAddr=, at=Thu Jul 16 00:00:00 PDT 2020, deviceKey=-, applianceName=Hub-Twitter, srcNatPoolName=Ext_MS_Server_Patch_Update_IP


In this article, we saw how a Basic NAT is configured on the Versa Operating System. More granular control in the NAT can be achieved by defining the Ports as well depending on the use case.