User cases when to check/uncheck NAT direct in interface setting

Products

VMware SD-WAN by VeloCloud

Issue/Introduction

Explain when to use check/uncheck NAT direct

Symptoms:
NAT direct user cases
1) Under device setting need to check NAT direct case 1

PC(10.0.2.2)----------VCE GE2(192.168.1.2)-------- 192.168.1.1(Modem)137.27.1.188

The VCE is connected to a Modem which has the private ip 192.168.1.1 and public ip 137.27.1.188
GE has the ip address 192.168.1.2

PC has the ip 10.0.2.2. When traffic sent from PC sourcing from 10.0.2.2 out via GE2, first the ip address is NAT to 192.168.1.2, then the source ip is NAT to 137.27.1.188. The double NAT happened here. In this case, we need to check NAT direct for GE2

2) Under device setting need to check NAT direct case 2:

PC(10.0.2.2)----------VCE GE2(137.27.1.188)

There is no SP modem, SP circuit directly plug into GE2, we need to check NAT direct also on GE2, since we need to translate the traffic sourcing from 10.0.2.2 to 137.27.1.188

3) Under device setting, should not check the NAT direct:

PC(10.0.2.2)----------VCE GE2(192.168.1.2) -------(192.168.1.1) Firewall NAT(137.27.1.188)

If we have a firewall connected to GE2 and firewall can do the NAT, we do not need to check NAT direct on GE2.

Environment

VMware SD-WAN by VeloCloud

Resolution

NAT direct user cases
1) Under device setting need to check NAT direct case 1

PC(10.0.2.2)----------VCE GE2(192.168.1.2)-------- 192.168.1.1(Modem)137.27.1.188

The VCE is connected to a Modem which has the private ip 192.168.1.1 and public ip 137.27.1.188
GE has the ip address 192.168.1.2

PC has the ip 10.0.2.2. When traffic sent from PC sourcing from 10.0.2.2 out via GE2, first the ip address is NAT to 192.168.1.2, then the source ip is NAT to 137.27.1.188. The double NAT happened here. In this case, we need to check NAT direct for GE2

2) Under device setting need to check NAT direct case 2:

PC(10.0.2.2)----------VCE GE2(137.27.1.188)

There is no SP modem, SP circuit directly plug into GE2, we need to check NAT direct also on GE2, since we need to translate the traffic sourcing from 10.0.2.2 to 137.27.1.188

3) Under device setting, should not check the NAT direct:

PC(10.0.2.2)----------VCE GE2(192.168.1.2) -------(192.168.1.1) Firewall NAT(137.27.1.188)

If we have a firewall connected to GE2 and firewall can do the NAT, we do not need to check NAT direct on GE2.

Workaround:
NAT direct user cases
1) Under device setting need to check NAT direct case 1

PC(10.0.2.2)----------VCE GE2(192.168.1.2)-------- 192.168.1.1(Modem)137.27.1.188

The VCE is connected to a Modem which has the private ip 192.168.1.1 and public ip 137.27.1.188
GE has the ip address 192.168.1.2

PC has the ip 10.0.2.2. When traffic sent from PC sourcing from 10.0.2.2 out via GE2, first the ip address is NAT to 192.168.1.2, then the source ip is NAT to 137.27.1.188. The double NAT happened here. In this case, we need to check NAT direct for GE2

2) Under device setting need to check NAT direct case 2:

PC(10.0.2.2)----------VCE GE2(137.27.1.188)

There is no SP modem, SP circuit directly plug into GE2, we need to check NAT direct also on GE2, since we need to translate the traffic sourcing from 10.0.2.2 to 137.27.1.188

3) Under device setting, should not check the NAT direct:

PC(10.0.2.2)----------VCE GE2(192.168.1.2) -------(192.168.1.1) Firewall NAT(137.27.1.188)

If we have a firewall connected to GE2 and firewall can do the NAT, we do not need to check NAT direct on GE2.