SD-WAN

I am building an SD-Branch network for one of my customers, and I have a question about the public IP address learned by the VPNCs.  My customer gave me an external address of 37.110.x.x (IP x'ed out for confidentiality) that is provided from the internet space via their firewalls.  This address is being NATed to the VRRP address of the internet transit VLAN.  In the WAN summary page for the VPNC uplink interfaces, the external public address shows up as 109.70.x.x. Other customers that I have, the address shows up as the same, both the configured external address and the learned external public IP.  As far as I know, the customer has created a 1:1 NAT for the 37.110.x.x address to the internal VRRP address of the Internet VRRP, 10.254.76.11.  Do we need to create a many-to-one NAT for the physical interfaces as well so that all traffic meant for .9, .10 and .11 are NATed to the 37.110.x.x address?  

I was not able to see your diagram.

But if I understand your design correctly...

If you have placed your VPNC's in a Cluster to serve BRANCH sites, (and WAN is required to sit behind a NAT) you'll need a 1:1 NAT for each WAN Interface. 

This is by design, such that the BRANCH sites are tunnel aware of both VPNC's and do not rely on slow/aged redundancy techniques like VRRP. 

The VPNC's are using their individual WAN interfaces/IPs for tunnel and Central reporting, which is likely why (and you could check the FW logs) is not hitting the correct NAT. Thus reporting the "109." WAN IP. 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------

Thanks Zak.  I was able to get the diagram uploaded if you can check it out to validate.  

Original Message:
Sent: Feb 14, 2024 10:46 AM
From: 802.zak
Subject: VPNC Internet Uplink Setup Question

I was not able to see your diagram.

But if I understand your design correctly...

If you have placed your VPNC's in a Cluster to serve BRANCH sites, (and WAN is required to sit behind a NAT) you'll need a 1:1 NAT for each WAN Interface. 

This is by design, such that the BRANCH sites are tunnel aware of both VPNC's and do not rely on slow/aged redundancy techniques like VRRP. 

The VPNC's are using their individual WAN interfaces/IPs for tunnel and Central reporting, which is likely why (and you could check the FW logs) is not hitting the correct NAT. Thus reporting the "109." WAN IP. 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------

Thanks, I can see it now.

My thoughts here still align, based on the diagram. Best practice would be a 1:1 NAT per VPNC. 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------

Original Message:
Sent: Feb 14, 2024 10:57 AM
From: kurtw1
Subject: VPNC Internet Uplink Setup Question

Thanks Zak.  I was able to get the diagram uploaded if you can check it out to validate.  

Original Message:
Sent: Feb 14, 2024 10:46 AM
From: 802.zak
Subject: VPNC Internet Uplink Setup Question

I was not able to see your diagram.

But if I understand your design correctly...

If you have placed your VPNC's in a Cluster to serve BRANCH sites, (and WAN is required to sit behind a NAT) you'll need a 1:1 NAT for each WAN Interface. 

This is by design, such that the BRANCH sites are tunnel aware of both VPNC's and do not rely on slow/aged redundancy techniques like VRRP. 

The VPNC's are using their individual WAN interfaces/IPs for tunnel and Central reporting, which is likely why (and you could check the FW logs) is not hitting the correct NAT. Thus reporting the "109." WAN IP. 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.