Latest

Cisco Viptela SDWAN: NAT Mapping and Filtering Test

Cisco Viptela SDWAN: NAT Mapping and Filtering Test

This topic is interesting to discuss on the NAT mapping and filtering. If you want to discover the local vEdge external IP address when that vEdge is located behind a NAT device, this post will helpful to you then. We will discuss about the command that can finds a port mapping for the device and optionally discovers properties about the NAT between the local device and a public server.

In general, we have multiple types of STUN terminology and these are Full-cone NAT; Restricted-cone NAT; Port-Restricted-cone NAT; Symmetric NAT. Here we will test and will check what STUN technology we are using from our output.

Fig 1.1- Cisco Viptela SDWAN: NAT Mapping and Filtering

Step 1: On your vEdge, Please use "allow-service stun" in order to let the stun data passed for your test. So we are going to use STUN service on the vEdge to get the results. 

NDNA_vEdge1# show running-config vpn 0 interface ge0/1
vpn 0
 interface ge0/1
 ip address 192.168.12.2/30
 !
 tunnel-interface
 encapsulation ipsec
 color public-internet
 max-control-connections 1
 no allow-service bgp
 allow-service dhcp
 allow-service dns
 no allow-service icmp
 no allow-service sshd
 no allow-service netconf
 no allow-service ntp
 no allow-service ospf
 allow-service stun
 !
 no shutdown
 !
!

Step 2: Now let's run the command to perform a full NAT detection test with the use of UDP source port 12386 to the Google STUN server. 

Check the complete list of Public available STUN servers below ( Check for Google on below link: stun.l.google.com 19302)
https://gist.github.com/mondain/b0ec1cf5f60ae726202e

The output of the below command will give you NAT behavior and the NAT filtering

NDNA_vEdge1# tools stun-client vpn 0 options "--mode full --localaddr 192.168.1.50 --localport 12386 --verbosity 2 stun.l.google.com 19302"

stunclient --mode full --localaddr 192.168.1.50 stun.l.google.com in VPN 0
Binding test: success
Local address: 192.168.1.50:12386
Mapped address: 113.178.123.116:4501
Behavior test: success
Nat behavior: Address Dependent Mapping
Filtering test: success
Nat filtering: Address and Port Dependent Filtering

The command output shows the mapping between STUN terminology (Full-Cone NAT) and NAT Behavioral for UDP.

Note ⭐: A full-cone NAT means where all packets from the internal IP address are mapped to the same NAT IP address.