AsterNOS-VPP NAT Configuration Guide
Network Address Translation (NAT) enables multiple devices on a private network to share public IP addresses for internet access. This guide demonstrates how to configure NAT on AsterNOS-VPP routers for both fixed (static) and dynamic address translation scenarios.
What You’ll Learn
✅ Configure Static NAT for fixed IP mappings
✅ Set up Dynamic NAT pools for flexible address sharing
✅ Enable Port Address Translation (PAT/NAPT) for maximum efficiency
✅ Monitor and verify NAT translations in real-time
Introduction
NAT is essential for conserving public IPv4 addresses while enabling internal networks to communicate with external resources. AsterNOS-VPP provides enterprise-grade NAT capabilities including static mappings, dynamic pools, and port-based translation.
Use Cases:
Enterprise WAN Gateway: Share limited public IPs across hundreds of users
Data Center Edge: Provide internet access for internal services
Multi-Tenant Networks: Isolate customer traffic with separate NAT pools
Server Publishing: Expose internal servers with fixed public addresses
NAT Overview
How NAT Works
NAT devices operate at the network boundary between internal (private) and external (public) networks:
- Outbound Traffic: Internal source IP addresses are replaced with public IP addresses
- Translation Table: The NAT device maintains a mapping of translations
- Inbound Traffic: Public destination IPs are restored to internal private IPs
- Bidirectional Flow: Responses are automatically routed back to originating devices
Interface Zones
AsterNOS-VPP uses NAT zones to designate interfaces:
- Zone 0 (Default): Internal/private network interfaces
- Zone 1: External/public network interfaces (WAN)
Only interfaces in Zone 1 perform NAT translation.
NAT Types Explained
Static NAT (One-to-One)
Maps a single internal IP to a fixed external IP permanently. Ideal for servers that need consistent public addressing.
Example: Web server at 192.168.0.2 always appears as 2.2.2.3
Advantages:
- Predictable addressing for inbound connections
- Simplified DNS and firewall rules
- Bidirectional traffic support
Limitations:
- Consumes one public IP per internal host
- Not scalable for large user populations
Dynamic NAT (Pool-Based)
Assigns external IPs from a pool dynamically as needed. Internal hosts receive temporary public IPs on-demand.
Example: 500 users share a pool of 100 public IPs (2.2.2.100-2.2.2.200)
Advantages:
- Efficient use of limited public IP resources
- Automatic assignment and release
- Supports more users than available IPs
Limitations:
- External IP changes with each session
- May exhaust pool during peak usage
Port Address Translation (PAT/NAPT)
Most commonly used NAT type. Multiple internal devices share a single external IP by using unique port numbers.
Example: Three devices using 2.2.2.2 :
192.168.20.2:45000→2.2.2.2:45000192.168.20.3:45001→2.2.2.2:45001192.168.20.4:45002→2.2.2.2:45002
Advantages:
- Maximum IP conservation (thousands of users per public IP)
- Standard for home and enterprise routers
- Transparent to end users
Limitations:
- Port exhaustion possible with very high connection counts
- Some applications require special handling
Configuration Commands
Port Zone Configuration
Designate interfaces for NAT processing:
sonic# configure terminal
sonic(config)# interface ethernet <number>
sonic(config-if-ethernet<number>)# nat zone 1Remove NAT zone:
sonic(config-if-ethernet<number>)# no nat zoneEnable NAT Function
Activate NAT globally:
sonic(config)# nat enableDisable NAT:
sonic(config)# no nat enableStatic NAT Configuration
Create static mapping:
sonic(config)# nat static basic <public-ip> <private-ip> {snat|dnat}Parameters:
<global-ip>— Public network address<local-ip>— Private network addresssnat— Source NAT (outbound translation)dnat— Destination NAT (inbound translation)
Remove static mapping:
sonic(config)# no nat static basic <public-ip> <private-ip> {snat|dnat}Static NAPT Configuration
Map specific ports:
sonic(config)# nat static {tcp|udp} <public-ip> <public-port> <private-ip> <private-port> {snat|dnat}Parameters:
<global-ip>— Public network IP<global-port>— Public network port<local-ip>— Private network IP<local-port>— Private network port
Remove NAPT mapping:
sonic(config)# no nat static {tcp|udp} <public-ip> <public-port> <private-ip> <private-port>Dynamic NAT Pool Configuration
Create address pool:
sonic(config)# nat pool <pool-name> <start-ip> [<end-ip>]Parameters:
<pool-name>— Descriptive name for the pool<start-ip>— First IP in range<end-ip>— Last IP in range (optional for single IP)
Remove pool:
sonic(config)# no nat pool <pool-name>NAT Binding Configuration
Associate pool with ACL (optional):
sonic(config)# nat binding <binding-name> <pool-name> [acl <acl-name>]Parameters:
<binding-name>— Descriptive binding identifier<pool-name>— Previously created NAT pool[acl <acl-name>]— Optional access list to filter traffic
Remove binding:
sonic(config)# no nat binding <binding-name>Static NAT Configuration
Scenario: Public Server Access
Network Requirements:
- WAN Interface (ethernet2):
2.2.2.2/24 - LAN Gateway (ethernet1):
192.168.0.1/24 - Internal Host:
192.168.0.2/24 - Required Public IP:
2.2.2.3/24 - Carrier Gateway:
2.2.2.1/24
Configuration Steps
# Step 1: Configure LAN interface
sonic(config)# interface ethernet 1
sonic(config-if-ethernet1)# ip address 192.168.0.1/24
sonic(config-if-ethernet1)# exit
# Step 2: Configure WAN interface
sonic(config)# interface ethernet 2
sonic(config-if-ethernet2)# ip address 2.2.2.2/24
sonic(config-if-ethernet2)# nat zone 1
sonic(config-if-ethernet2)# exit
# Step 3: Configure default route
sonic(config)# ip route 0.0.0.0/0 2.2.2.1
# Step 4: Enable NAT
sonic(config)# nat enable
# Step 5: Create static NAT mapping
sonic(config)# nat static basic 2.2.2.3 192.168.0.1 snat
sonic(config)# exit
# Step 6: Save configuration
sonic# write memoryVerification
sonic# show nat config
Global values:
Admin mode: Enabled
Global timeout: 600 secs
TCP timeout: 86400 secs
UDP timeout: 300 secs
Static entries:
NAT Type IP Protocol Global IP Global Port Local IP Local Port Twice NAT ID
-------- ----------- ----------- ----------- ------------- ---------- ------------
SNAT ALL 2.2.2.3 - 192.168.0.1 - -
Pool entries:
Pool Name Global IP Range Global Port Range
--------- --------------- -----------------
NAT Bindings:
Binding Name Pool Name Access List NAT Type Twice NAT ID
------------ --------- ----------- -------- ------------
NAT Zones:
Port Zone
--------- ----
ethernet1 0
ethernet2 1Check active translations:
sonic# show nat translations
Static NAT entries: 2
Static NAPT entries: 0
Dynamic NAT entries: 0
Dynamic NAPT entries: 0
Static twice NAT entries: 0
Static twice NAPT entries: 0
Dynamic twice NAT entries: 0
Dynamic twice NAPT entries: 0
Total SNAT/SNAPT entries: 1
Total DNAT/DNAPT entries: 1
Total entries: 2
Protocol Source Destination Translated Source Translated Destination
-------- ----------- ----------- ----------------- ----------------------
ALL 2.2.2.3 - 192.168.0.1 -
ALL 192.168.0.1 - 2.2.2.3 -Monitor traffic statistics:
sonic# show nat statistics
Protocol Source Destination Packets Bytes
-------- ----------- ----------- ------- -----
ALL 2.2.2.3 - 0 0
ALL 192.168.0.1 - 0 0Dynamic NAT Configuration
Scenario: Enterprise Internet Gateway
Network Requirements:
- WAN Interface (ethernet2):
2.2.2.2/24 - LAN Subnet:
192.168.20.0/24 - Public IP Pool:
2.2.2.100 - 2.2.2.200(100 addresses) - Upstream Gateway:
2.2.2.1/24
Configuration Steps
# Step 1: Configure LAN interface
sonic(config)# interface ethernet 1
sonic(config-if-ethernet1)# ip address 192.168.20.1/24
sonic(config-if-ethernet1)# exit
# Step 2: Configure WAN interface
sonic(config)# interface ethernet 2
sonic(config-if-ethernet2)# ip address 2.2.2.2/24
sonic(config-if-ethernet2)# nat zone 1
sonic(config-if-ethernet2)# exit
# Step 3: Configure default route
sonic(config)# ip route 0.0.0.0/0 2.2.2.1
# Step 4: Enable NAT
sonic(config)# nat enable
# Step 5: Create NAT pool
sonic(config)# nat pool nat-pool 2.2.2.100 2.2.2.200
# Step 6: Bind pool to NAT
sonic(config)# nat binding test nat-pool
sonic(config)# exit
# Step 7: Save configuration
sonic# write memoryVerification
sonic# show nat config
Global values:
Admin mode: Enabled
Global timeout: 600 secs
TCP timeout: 86400 secs
UDP timeout: 300 secs
Static entries:
NAT Type IP Protocol Global IP Global Port Local IP Local Port Twice NAT ID
-------- ----------- --------- ----------- -------- ---------- ------------
Pool entries:
Pool Name Global IP Range Global Port Range
--------- --------------------- -----------------
nat-pool 2.2.2.100-2.2.2.200 1024-65534
NAT Bindings:
Binding Name Pool Name Access List NAT Type Twice NAT ID
------------ --------- ----------- -------- ------------
test nat-pool - SNAT -
NAT Zones:
Port Zone
--------- ----
ethernet1 0
ethernet2 1Monitor active translations:
sonic# show nat translations
Static NAT entries: 0
Static NAPT entries: 0
Dynamic NAT entries: 0
Dynamic NAPT entries: 0
Static twice NAT entries: 0
Static twice NAPT entries: 0
Dynamic twice NAT entries: 0
Dynamic twice NAPT entries: 0
Total SNAT/SNAPT entries: 0
Total DNAT/DNAPT entries: 0
Total entries: 0
Protocol Source Destination Translated Source Translated Destination
-------- ----------- ----------- ----------------- ----------------------
TCP 2.2.2.100 - 192.168.20.2 -
TCP 192.168.20.2 - 2.2.2.100 -Check translation statistics:
sonic# show nat translations count
Static NAT entries: 0
Static NAPT entries: 0
Dynamic NAT entries: 0
Dynamic NAPT entries: 0
Static twice NAT entries: 0
Static twice NAPT entries: 0
Dynamic twice NAT entries: 0
Dynamic twice NAPT entries: 0
Total SNAT/SNAPT entries: 0
Total DNAT/DNAPT entries: 0
Total entries: 0Monitor traffic statistics:
sonic# show nat statistics
Protocol Source Destination Packets Bytes
-------- ----------- ----------- ------- -----
TCP 2.2.2.100 - 0 0
TCP 192.168.20.2 - 0 0Monitoring & Troubleshooting
Display NAT Configuration
sonic# show nat configOutput includes:
- Global NAT settings (timeouts: 600s global, 86400s TCP, 300s UDP)
- Static NAT/NAPT entries
- NAT pool definitions (default port range: 1024-65534)
- Binding associations
- Interface zone assignments
View Active Translations
sonic# show nat translationsShows real-time translation table with:
- Protocol (TCP/UDP/ICMP/ALL)
- Original and translated source/destination IPs
- Port numbers (for NAPT)
Check Translation Counts
sonic# show nat translations countProvides summary statistics:
- Count of static vs. dynamic entries
- SNAT vs. DNAT usage
- Total active translations
Monitor Traffic Statistics
sonic# show nat statisticsDisplays per-translation traffic:
- Packet counts
- Byte counts
- Directional flow (inbound/outbound)
Common Issues & Solutions
Issue: NAT not working
Solution:
- Verify NAT is enabled:
show nat config - Check zone assignment: Interface must be in zone 1 for WAN
- Confirm default route exists:
show ip route - Validate pool/binding configuration
Issue: Pool exhaustion
Solutions:
- Check translation count:
show nat translations count - Increase pool size: Add more IPs to
nat pool - Reduce timeout values (default: 600s global, 86400s TCP, 300s UDP)
- Consider PAT instead of pure NAT
Issue: Static NAT not accessible from internet
Solutions:
- Verify public IP is routable (check with ISP)
- Confirm firewall rules allow inbound traffic
- Check zone configuration on WAN interface
- Validate static NAT entry direction (SNAT vs. DNAT)
Summary
✅ What You Accomplished:
- Configured Static NAT for fixed IP mappings (1:1)
- Set up Dynamic NAT pools for flexible address sharing (101 IPs: 2.2.2.100-200)
- Enabled PAT/NAPT for maximum IP conservation
- Monitored NAT translations and traffic statistics
AsterNOS-VPP NAT provides carrier-grade address translation with simple CLI configuration and comprehensive monitoring tools.
Support & Resources
Need help? Contact our support team or join our community forum.