Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Source NAT and VPN: using the "exclude" option

When a packet is matched against the source NAT (including masquerade NAT) filter criteria, the source address of the packet is modified before it is forwarded to its destination. This means that source NAT rules are applied before the VPN process compares the packets against the VPN configuration. If the source network that is configured for source NAT is also configured to use a site-to-site VPN connection using the same externally facing interface, the packets are not recognized by the VPN process because the source address has been changed. Consequently, they are not placed into the VPN tunnel for transport.

To account for this behavior, packets destined for a VPN tunnel must be excluded from having NAT applied. You can do this by using an exclusion rule, as shown in the following figure.

Figure 1. Source NAT and VPN

To configure NAT in this way, perform the following steps in configuration mode.

Table 1. Configuring masquerade NAT to bypass a VPN tunnel

Step

Command

Create SNAT rule 10.

vyatta@vyatta# set service nat source rule 10

Apply this rule to packets coming from any host on the 192.168.0.0/24 network, going to the 192.168.50.0/24 network, and egressing through the dp0p1p1 interface.

vyatta@vyatta# set service nat source rule 10 source address 192.168.0.0/24 
vyatta@vyatta# set service nat source rule 10 destination address 192.168.50.0/24 
vyatta@vyatta# set service nat source rule 10 outbound-interface dp0p1p1

Exclude packets from NAT translation that match the filter criteria in this rule.

vyatta@vyatta# set service nat source rule 10 exclude

Create SNAT rule 20.

vyatta@vyatta# set service nat source rule 20

Apply this rule to packets coming from any host on the 192.168.0.0/24 network and egressing through the dp0p1p1 interface.

vyatta@vyatta# set service nat source rule 20 source address 192.168.0.0/24 
vyatta@vyatta# set service nat source rule 20 outbound-interface dp0p1p1

Use the primary IP address of the outbound interface as the translation address.

vyatta@vyatta# set service nat source rule 20 translation address masquerade

Commit the change.

vyatta@vyatta# commit

Show the configuration.

vyatta@vyatta# show nat source
 rule 10 { 
     destination {
         address 192.168.50.0/24
     }
     exclude
     outbound-interface dp0p1p1
     source {
     address 192.168.0.0/24
     }
 }
 rule 20 { 
     outbound-interface dp0p1p1
     source {
         address 192.168.0.0/24
     }
     translation {
         address masquerade
     }
 }