topic Re: API - Add nat rule with Hide and Static method in API / CLI Discussion

API - Add nat rule with Hide and Static method

Kristof_Vermael — Mon, 26 Nov 2018 09:36:25 GMT

Hello all,

I'm trying to find out if it is possible to add a NAT rule with the API with Hide NAT for the source address, and a Static NAT for the destination. In the documentation, it is only possible to add one method, Hide, or static.

The use case : I have a group that needs to connect to a single IP, I need to Hide the source after 1 single IP and I need to translate the destination to 1 single IP.

It is possible in the GUI, but for my automation, I would need to create these rules with the API.

Any ideas ?

Re: API - Add nat rule with Hide and Static method

Egor_Cherkasov — Mon, 26 Nov 2018 14:16:55 GMT

I've not completely understood your question, but I'll try to give you some information.

Hide NAT translates multiple source addresses to a one public address.

The destination adress always will be the one, because You connect to a public IP.

Even when you have 2 different LANs, which are connected with each other through the Internet. The destination adress will be permanent, because your IP packet has that destination.

Static NAT translates 1 to 1 (source to public) address.

In your case you definetely should use Hide NAT.

Regards.

Re: API - Add nat rule with Hide and Static method

Kristof_Vermael — Mon, 26 Nov 2018 14:43:14 GMT

Hello,

Let me explain it with an example :

Orginal source : 10.0.0.0/24

Original destination : 10.100.1.1/32

translated source : 10.200.1.1/32

translated destination : 8.8.8.8/32

In my opinion, you are doing HIDE NAT for the source and STATIC NAT for the destination.

I have run a few a test with the API and although you can only define on method ( Hide or Static ) and seems R80.10 is somehow intelligent to know that this is for the source only. Translated Source is Hide in my policy, Translated Destination is Static in my policy.

This is what I've been looking for.

Re: API - Add nat rule with Hide and Static method

Mike_A — Mon, 26 Nov 2018 15:36:24 GMT

Kristof/Egor,

I just used the line below in my lab, source of translated packet is a HIDE and destination of translated is a STATIC.

Please keep in mind this is through SmartConsole CLI, but you can modify to work with mgmt_cli as well.

Note, in bold below you would replace with what your object names are.

# add NAT

add nat-rule original-source net_10.0.0.0_b24 original-destination srv_10.100.1.1 translated-source srv_10.200.1.1 method hide translated-destination srv_8.8.8.8 package Mike position bottom

# screen shot

Re: API - Add nat rule with Hide and Static method

PhoneBoy — Mon, 26 Nov 2018 21:42:59 GMT

Just to clarify the method option in add nat-rule refers to what happens to the source address (hide or static).

If you specify a translated-destination, the only supported method is static and it should be the same size (host, network, or range) as the original- destination.

Re: API - Add nat rule with Hide and Static method

Kristof_Vermael — Tue, 27 Nov 2018 08:19:53 GMT

Hello Dameon,

In R77.30, it was however possible to see hide nat for destination nat when you change the NAT method.

I was a bit confused about this, but in R80.10, it all seems to work !

Re: API - Add nat rule with Hide and Static method

PhoneBoy — Tue, 27 Nov 2018 14:36:26 GMT

Pretty sure that was a bug it even allowed that.