Cisco Viptela SDWAN: NAT Mapping and Filtering Test
Cisco Viptela SDWAN: NAT Mapping and Filtering Test
This topic is interesting to discuss on the NAT mapping and filtering. If you want to discover the local vEdge external IP address when that vEdge is located behind a NAT device, this post will helpful to you then. We will discuss about the command that can finds a port mapping for the device and optionally discovers properties about the NAT between the local device and a public server.
In general, we have multiple types of STUN terminology and these are Full-cone NAT; Restricted-cone NAT; Port-Restricted-cone NAT; Symmetric NAT. Here we will test and will check what STUN technology we are using from our output.
Fig 1.1- Cisco Viptela SDWAN: NAT Mapping and Filtering |
Step 1: On your vEdge, Please use "allow-service stun" in order to let the stun data passed for your test. So we are going to use STUN service on the vEdge to get the results.
NDNA_vEdge1# show running-config vpn 0 interface ge0/1
vpn 0
interface ge0/1
ip address 192.168.12.2/30
!
tunnel-interface
encapsulation ipsec
color public-internet
max-control-connections 1
no allow-service bgp
allow-service dhcp
allow-service dns
no allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
allow-service stun
!
no shutdown
!
!
Step 2: Now let's run the command to perform a full NAT detection test with the use of UDP source port 12386 to the Google STUN server.
Check the complete list of Public available STUN servers below ( Check for Google on below link: stun.l.google.com 19302)
https://gist.github.com/mondain/b0ec1cf5f60ae726202e
The output of the below command will give you NAT behavior and the NAT filtering
NDNA_vEdge1# tools stun-client vpn 0 options "--mode full --localaddr 192.168.1.50 --localport 12386 --verbosity 2 stun.l.google.com 19302"
stunclient --mode full --localaddr 192.168.1.50 stun.l.google.com in VPN 0
Binding test: success
Local address: 192.168.1.50:12386
Mapped address: 113.178.123.116:4501
Behavior test: success
Nat behavior: Address Dependent Mapping
Filtering test: success
Nat filtering: Address and Port Dependent Filtering
The command output shows the mapping between STUN terminology (Full-Cone NAT) and NAT Behavioral for UDP.
Note ⭐: A full-cone NAT means where all packets from the internal IP address are mapped to the same NAT IP address.