Enable Server Pool load balancing using NAT rules
NAT rules specify which traffic is directed to the Server Pool. You can use NAT rules to apply both source and destination address translation for Server Pools.
Before you begin
Add Access rules that allow the type of traffic that is handled by the Server Pool.
When you use destination address translation with Server Pools, the NAT operation translates the external IP addresses of Server Pool elements to the internal IP addresses of the Host elements that are members of the Server Pool.
When you use source address translation with Server Pools, the return packets from the Server Pool servers are routed through the Secure SD-WAN Engine to the client. These packets are recognized as part of the existing connection between the client and the server. This feature also allows you to use dynamic source NAT with Server Pool load balancing.
- Make sure that there are no overlapping NAT rules in the policy.
- If you want to balance traffic that arrives through a VPN using a Server Pool, NAT must be enabled in the properties of the VPN element (NAT is disabled by default for traffic that uses a VPN).
- You must create a separate NAT rule for each Server Pool.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
Network Address Translation dialog box
Use this dialog box to define the settings for overwriting source and destination addresses in packets.
Option | Definition |
---|---|
Source Translation tab | |
Translation Type |
Defines the translation type.
|
IP Address Pool
(Dynamic only) |
The IP address pool of IP addresses that are used for the translation. The minimum size for the pool is one IP address. The number of IP addresses required depends on how many ports you allow the address translation to use, and how many concurrent connections dynamic address translation handles at peak times. If the IP address/port pairs run out, new connections cannot be opened before existing connections are closed.
The IP addresses used for NAT must not be in use in the network, as this creates an IP address conflict. However, the engine’s own IP address (CVI on clusters) can be used for address translation if there are no free IP addresses available (make sure that your selected port range does not overlap with communications ports that the engine uses on this address). |
IP Address(es)
(Static only) |
Define the original and translated IP addresses.
Click Select to select an element. |
Address | Allows manual entry of the IP address or (sub)network to use for the address translation. |
First Port to Use
(Dynamic only) |
The start of the port range for source IP address translation. The default is the beginning of the “free” high port range, 1024. |
Last Port to Use
(Dynamic only) |
The end of the port range for source IP address translation. The default is the highest possible port, 65535. |
Automatic Proxy ARP (Recommended)
(IPv4 only) |
Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the
Routing view.
This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks. |
Automatic Proxy Neighbor Discovery
(IPv6 only) |
Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the
Routing view.
There is a limit to the number of addresses that the engine can proxy for neighbor discovery. |
Option | Definition |
---|---|
Destination Translation tab | |
Translation Type |
Defines the translation type.
|
Option | Definition |
---|---|
Destination Translation tab, Translate Destination selected | |
Translate Destination (Optional) |
When selected, enables options for translating destination IP addresses. |
IP Addresses |
Defines the original and translated IP addresses.
Click Select to select an element. |
Address | Allows manual entry of the IP address or (sub)network to use for the address translation. |
Automatic Proxy ARP (Recommended)
(IPv4 only) |
Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view. This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks. |
Automatic Proxy Neighbor Discovery
(IPv6 only) |
Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view. There is a limit to the number of addresses that the engine can proxy for neighbor discovery. |
Translate Destination Port | Select if you want to translate destination ports. If you do not select this option, ports are not translated, so packets are sent onwards with the destination port intact. |
IP Ports |
Define the original and translated IP ports.
|
Option | Definition |
---|---|
Destination Translation tab, Forward to Proxy selected | |
Proxy Server | Specifies the proxy server to which traffic is forwarded. Click Select to select an element. |