Technical Tip: VIP to Inter-VDOM IP - Double NAT

This article describes how to set up a Double NAT VIP on the Inter-VDOM link.

This is for cases where 1 VDOM has Internet access and the other VDOM does not have Internet access. Here, the VIP on the Internet-facing VDOM will VIP to an Inter-VDOM IP.

Then, the other VIP on the non-internet facing VDOM will VIP to the same Inter-VDOM IP.

Topology:

INET_VDOM -> Internet facing VDOM

LAN_VDOM -> VDOM with no Internet; LAN VDOM.

Goal:

The result wanted is to reach the internal-lan IP (10.185.3.170) from the External IP (10.47.3.170) where the traffic VIPs through an inter-VDOM IP. The same Inter-VDOM IP will be used in the VIP of both VDOMs; double NAT.

Create a VIP object on the Internet-facing VDOM, vipA: 10.47.3.170 -> 10.10.10.100.

This VIP maps the external IP to an inter-VDOM IP, in this demonstration, 10.10.10.100 will be used.

Then, create a VIP object on the Non-Internet facing VDOM, vipB: 10.10.10.100 -> 10.185.3.170. This VIP maps the inter-VDOM IP mapped in vipA, to the actual internal-lan IP, 10.185.3.170.

Note.

The usage of SD-WAN does not matter because only 1 External IP for VIP purposes is used.

Method 1.

INET_VDOM (Internet facing VDOM) configuration:

Interface:

VIP Object:

Note.

Any IP can be chosen as long as it's within the inter-VDOM IP range that is specified in Interfaces.

Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.

Firewall Policy:

-No Static Route configuration is required here.

LAN_VDOM (Non-Internet facing VDOM) configuration:

Interface:

VIP Object:

Note.

Ensure inter-VDOM IP used in both VIP Objects of both VDOMs are the same.

Firewall Policy:

Static Route:

Note.

The static route is required here to ensure the traffic gets routed back through the Inter-VDOM link.

For the Gateway IP, use the inter-VDOM link IP of inter-VDOM0 on the INET_VDOM.

Result:

This is how the Session Table should look like.

Session Table Filters used:

# diag sys session filter ext-dst 10.47.3.170 -> wan ip
# diag sys session filter ext-dst 10.185.3.170 -> internal-lan ip
# diag sys session filter ext-dst 10.10.10.100 -> inter-vdom ip

# diag sys session list

In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM.

Method 2.

In Method 2, no Static Routes to the Inter-VDOM links on either VDOMs are required.

The configurations are exactly the same except that SNAT is enabled on the VIP firewall policies.

INET_VDOM Firewall Policy:

LAN_VDOM Firewall Policy:

How does it work.

1) Traffic from external that hits the wan ip, 10.47.3.170 will get translated to 10.10.10.100 on the INET_VDOM.

Traffic passes through the inter-VDOM link.

2) Traffic from the inter-VDOM link then hits the LAN_VDOM's inter-VDOM IP, 10.10.10.100, which then gets translated to 10.185.3.170. 

3) The reason why a Static Route is not required here is that the return traffic will then be translated by the SNAT from 10.185.3.170 to 10.10.10.100, which then passes back through the inter-VDOM link gateway, 10.10.10.1, back to the INET_VDOM and out through the wan link. 

Result:

This is how the Session Table should look like.

Session Table Filters used:

# diag sys session filter ext-dst 10.47.3.170 -> wan ip
# diag sys session filter ext-dst 10.185.3.170 -> internal-lan ip
# diag sys session filter ext-dst 10.10.10.100 -> inter-VDOM ip

# diag sys session list

In this screenshot, 10.111.36.200 is the IP pinging the WAN IP of INET_VDOM.