It seems we made a mistake in the validation of NAT44 static rules. Currently, we require external addresses to be present in the NAT address pool before they can be used in static mappings. However, this appears to be incorrect.
Having this verification rule breaks the purpose of out-to-in-only rules, because even when there is no static rule with this option for in-to-out direction, a dynamic one will still process the traffic. As a result, the condition "only input direction" is not fulfilled.
Such a configuration is actually valid:
set vpp nat44 address-pool twice-nat address '203.0.113.6' set vpp nat44 interface inside 'eth2' set vpp nat44 interface outside 'eth1' set vpp nat44 interface outside 'eth2' set vpp nat44 static rule 100 description 'Public web server HTTP' set vpp nat44 static rule 100 external address '203.0.113.3' set vpp nat44 static rule 100 external port '80' set vpp nat44 static rule 100 local address '10.10.10.10' set vpp nat44 static rule 100 local port '80' set vpp nat44 static rule 100 protocol 'tcp' set vpp nat44 static rule 101 description 'Public web server HTTPS' set vpp nat44 static rule 101 external address '203.0.113.3' set vpp nat44 static rule 101 external port '443' set vpp nat44 static rule 101 local address '10.10.10.10' set vpp nat44 static rule 101 local port '443' set vpp nat44 static rule 101 protocol 'tcp' set vpp nat44 static rule 200 protocol 'tcp' set vpp nat44 static rule 300 description 'Web server alt port with twice-NAT' set vpp nat44 static rule 300 external address '203.0.113.3' set vpp nat44 static rule 300 external port '8080' set vpp nat44 static rule 300 local address '10.10.10.10' set vpp nat44 static rule 300 local port '8080' set vpp nat44 static rule 300 options twice-nat set vpp nat44 static rule 300 protocol 'tcp' set vpp nat44 static rule 400 description 'RDP server - external access only' set vpp nat44 static rule 400 external address '203.0.113.5' set vpp nat44 static rule 400 external port '3389' set vpp nat44 static rule 400 local address '10.10.10.30' set vpp nat44 static rule 400 local port '3389' set vpp nat44 static rule 400 options out-to-in-only set vpp nat44 static rule 400 protocol 'tcp'
If we drop the validation, the VPP config will look like this:
vpp# show nat44 addresses NAT44 pool addresses: NAT44 twice-nat pool addresses: 203.0.113.6 tenant VRF: 0 vpp# show nat44 interfaces NAT44 interfaces: eth2 in eth1 out eth2 out vpp# show nat44 static mappings NAT44 static mappings: TCP local 10.10.10.10:80 external 203.0.113.3:80 vrf 0 TCP local 10.10.10.10:443 external 203.0.113.3:443 vrf 0 TCP local 10.10.10.10:8080 external 203.0.113.3:8080 vrf 0 twice-nat TCP local 10.10.10.30:3389 external 203.0.113.5:3389 vrf 0 out2in-only identity mapping TCP 203.0.113.2:22 vrf 0
And it works as expected:
- 10.10.10.10:
- Can accept incoming connections on ports 80 and 443.
- Can initiate outgoing connections from these ports, which will be translated to 203.0.113.3:80 and 203.0.113.3:443.
- Can accept connections on port 8080, which will be SNATed to 203.0.113.6.
- 10.10.10.30:
- Can accept incoming connections on port 3389.
- Cannot initiate outgoing connections from port 3389.
- The router can accept incoming connections on port 22.
The only case where this validation seems truly necessary is with rules using the self-twice-nat option. At least for this type of rule, it does not seem to work unless the external address is listed in the address pool. Without it, the rule behaves like a normal static rule.