Customized SNAT and DNAT on Edge Use Case

Aviatrix Secure Edge supports customized SNAT and DNAT for the use case where the CSP network CIDR overlaps with the on-prem network CIDR.

The following NAT scenarios are supported:

Single IP and Customized SNAT on Edge Gateway - For network traffic initiated from the Edge location towards the CSP.
DNAT on Edge Gateway - For network traffic initiated from Edge location towards Transit Gateway or CSP.

Customized SNAT on Edge Gateway is not supported when VLAN segmentation is also configured in the same network domain.

This diagram shows overlapping CSP and on-prem network CIDRs.

In this example, to resolve the overlapping CIDR issue, you would perform these steps:

Create a mapping of the Real CIDR to Virtual CIDR for both the cloud instances and on-prem hosts or workloads. For example:

Network Real CIDR Virtual CIDR

Cloud workload

10.3.0.86/32

10.203.0.86/32

On-prem workload

10.3.0.85/32

10.103.0.85/32

Network	Real CIDR	Virtual CIDR
Cloud workload	10.3.0.86/32	10.203.0.86/32
On-prem workload	10.3.0.85/32	10.103.0.85/32

Configure DNAT on Edge Gateway for traffic initiated from on-prem to cloud.

In Aviatrix CoPilot:

Go to Cloud Fabric > Edge > Edge Gateways tab.
Select the Edge Gateway for which you want to enable DNAT.
In the Edge Gateway Settings tab, expand the Network Address Translation (NAT) section.
Click Destination NAT toggle switch to On.
In Destination NAT, from the Instance dropdown menu, select the Edge Gateway.

Click + Rule and provide the following information.

Setting	Description
Instance	From the downdown list, select the Edge Gateway instance.
Src CIDR	Enter 10.3.0.85/32.
Dst CIDR	Enter 10.203.0.86/32 (the virtual IP of the cloud instance).
Connection	From the downdown list, select the connection which reflects the connection to the Transit Gateway.
Mark	(Optional) Enter a unique value. Value should be between 65535 - 99999.
DNAT IP	Enter 10.3.0.86 (cloud instance).

Setting

Description

Instance

From the downdown list, select the Edge Gateway instance.

Src CIDR

Enter 10.3.0.85/32.

Dst CIDR

Enter 10.203.0.86/32 (the virtual IP of the cloud instance).

Connection

From the downdown list, select the connection which reflects the connection to the Transit Gateway.

Mark

(Optional) Enter a unique value. Value should be between 65535 - 99999.

DNAT IP

Enter 10.3.0.86 (cloud instance).

Configure a Manual BGP Advertised CIDR List to advertise the DNAT virtual IP from the Edge Gateway to on-prem via BGP.

In the Edge Gateway Settings tab, expand the Border Gateway Protocol (BGP) section.

In Manual BGP Advertised CIDR List, enter the following information.

Setting	Description
Advertised CIDRs (Per Gateway)	Leave this blank.
Connection	From the dropdown menu, select the connection to the on-prem BGP peer.
Advertised CIDRs (Per Connection)	Enter 10.203.0.86/32 (the virtual IP of the cloud instance)

Setting

Description

Advertised CIDRs (Per Gateway)

Leave this blank.

Connection

From the dropdown menu, select the connection to the on-prem BGP peer.

Advertised CIDRs (Per Connection)

Enter 10.203.0.86/32 (the virtual IP of the cloud instance)

Configure SNAT on Edge Gateway for traffic initiated from cloud to on-prem

In the Edge Gateway’s Settings tab, expand the Network Address Translation (NAT) section.
Click the Source NAT switch to On, then click Customized SNAT.
From the Instance dropdown menu, select the Edge Gateway.

Click + Rule and provide the following information.

Setting	Description
Connection	Select the output connection where the rule will apply.
Mark	Enter the value that was defined in the DNAT settings. Specifies a TCP session where rule applies.
SNAT IP	Enter 10.103.0.85 (virtual IP of the on-prem host).

Setting

Description

Connection

Select the output connection where the rule will apply.

Mark

Enter the value that was defined in the DNAT settings.

Specifies a TCP session where rule applies.

SNAT IP

Enter 10.103.0.85 (virtual IP of the on-prem host).