Vyatta – How do I configure NAT ?

Introduction

Within this article we will look at the various way to configure NAT on a Vyatta appliance.

To configure NAT source and destination rules are defined using the ‘set nat source’ and ‘set nat destination’ commands. The source rules relate to the translation of the source address, and the destination rules relate to the translation of the destination address.

NAT Masquerade (Many-to-one)

First of all lets look at configuration settings to translate a network range behind behind a single IP.

set nat source rule 10 source address '192.168.0.0/16'
set nat source rule 10 outbound-interface 'eth2'
set nat source rule 10 protocol 'all'
set nat source rule 10 translation address 'masquerade'

In this example all traffic coming from 192.168.0.0/16 will have the source IP addresses translated to the IP of eth2.

Static NAT

Static NAT provides a one-to-one mapping.

set nat source rule 12 source address 192.168.131.32
set nat source rule 12 outbound-interface eth0
set nat source rule 12 translation address 172.16.130.32

set nat destination rule 12 inbound-interface eth0
set nat destination rule 12 destination address 172.16.131.32
set nat destination rule 12 translation address 192.168.130.32

In this example traffic destined to 172.16.131.32 inbound to eth0 will be translated to 192.168.130.32. Traffic initiated from 192.168.130.32 will be translated to the source address of 172.16.130.32.

Port Forwarding

Port forward involves translation of a port. Based on the example below traffic destined to 172.16.130.32 on tcp port 8080 will be translated to an IP of 192.168.130.32, port 80.

set nat destination rule 33 destination address '172.16.130.32'
set nat destination rule 33 destination port '8080'
set nat destination rule 33 inbound-interface 'eth0'
set nat destination rule 33 protocol 'tcp'
set nat destination rule 33 translation port '80'
set nat destination rule 33 translation address '192.168.130.32'

Policy NAT

Policy NAT involves the translation of either a port or address based on conditions other then the address/port that is subject to translation. i.e NAT destination address X to destination address Y when source address is Z.

Within this example we will static NAT a entire subnet when the traffic is sourced/destined to/from 10.1.1.0/24.

The NAT rule reads:

  • Destination – when traffic from 10.1.1.0/24 destined to 172.16.130.0/24 translate the destination to 192.168.130.0/24.
  • Source – when traffic from 192.168.130.0/24 destined to 10.1.1.0/24 translate the source address to 172.16.130.0/24.

Note : Each address is mapped based on a 1 to 1 mapping. i.e 172.16.130.33 would be translated to 192.168.130.33.

set nat destination rule 33 destination address '172.16.130.0/24'
set nat destination rule 33 source address '10.1.1.0/24'
set nat destination rule 33 inbound-interface 'eth0'
set nat destination rule 33 protocol 'tcp'
set nat destination rule 33 translation address '192.168.130.0/24'

set nat source rule 33 destination address '10.1.1.0/24'
set nat source rule 33 source address '192.168.130.0/24'
set nat source rule 33 outbound-interface 'eth0'
set nat source rule 33 protocol 'tcp'
set nat source rule 33 translation address '172.16.130.0/24'

Show

Though there are a number of show and monitor commands available when troubleshooting NAT. The main commands you should know are shown below,

  • monitor nat destination translations – monitor in real time the current translations.
  • show nat destination translations – show the NAT translation table.
  • show nat destination rules – show the NAT rules within the configuration.

Note : when troubleshooting source based NAT replace the ‘destination’ keyword with ‘source’.

Output Examples

vyatta@vyatta:~$ show nat destination translations
Pre-NAT              Post-NAT             Prot  Timeout
172.16.130.32:8080   192.168.130.32:80    tcp   3
vyatta@vyatta:~$ show nat destination rules
Disabled rules are not shown
Codes: X - exclude rule

 rule    intf              translation
----    ----              -----------
33      eth0              daddr 172.16.130.32 to 192.168.130.32
        proto-tcp         dport 8080 to 80
Rick Donato

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial