Working with NAT Blocks

The following section contains details on working with NAT blocks, from within the IPAM system.

Track IP NAT Associations

Track NAT associations between public and private (1918) blocks via the IPAM "NAT" Field.

The "NAT" field accepts a single IPv4 CIDR to associate with the current block, and automatically updates the corresponding block with the NAT association.  

Working with NAT'ed Blocks

Use caution when managing NAT'ed blocks or aggregates - major actions that change either block's assignment or size (assign, unassign, split, merge, autosplit/cleanup) removes the NAT association. 

In this case, complete the necessary high-level block tasks, and then re-save the NAT CIDR association to either block. 

Enable NAT 

Enable the NAT field by navigating to IPAM Admin → Edit IPAM Columns.

From there, ensure that the NAT column is enabled (visible), and customize the column location if desired. Be sure to click "Update" to save any changes.

Create NAT Association

Ensure that the two appropriate IP Aggregates (one public, one 1918 private space) containing the desired blocks to NAT have been added into ProVision. (See: Working with IP Aggregates)

After verifying the aggregates and blocks, you may add the NAT association:

Open IPAM Manage for either aggregate, then open "Edit Block" for the specific block you wish to NAT. (See: Working with IP Blocks)

In the Edit Block dialog, enter the IPv4 CIDR of the corresponding NAT block. When complete, click "Save".

Once the NAT field has been saved, the association will display in the NAT Column. 

The corresponding block (here, the private 1918 space block) will automatically have the NAT associated applied.

Configure NAT to Router(s)

To push the NAT association to a router, go to the IPAM Manage Action Menu, and select "Configure NAT" for the NAT'ed block(s) (For information on adding a router to ProVision, see Peering Routers).

Open the Action Menu for the NAT'ed block(s) and select "Configure NAT".

Then, select the router. Add the custom configuration /  interface information for the router and click "Configure".

NAT Rotate Dynamic IPs

NAT'ed block assignments may be automatically rotated to other available IPs via the "Rotate Dynamic IPs" scheduler task available in the  Admin → Scheduler tab 

"Rotate Dynamic IPs" reassigns single IPv4 NAT addresses (/32s) after 'x' days (since last config push) to an available address denoted by blocks associated with the Dynamic_Available tags.

Prior to using this task, two blocks (one public, one private) must be NAT'ed in IPAM, the NAT Config pushed to a router, and appropriate blocks tagged with "Dynamic_Base" and "Dynamic_Available". 

Before you Begin

Before setting up NAT Dynamic IP Block Rotation, ensure the follow has been completed:

  • The public/private IP blocks exist in ProVision (as /32s) and have been set up with NAT Metadata and matching IP Tags
  • The NAT'ed blocks have been configured with a router
  • The Aggregate(s)/IP's exist in ProVision with sufficient "Available" space to use for Rotating the NAT'ed block(s)
  • IPAM Tags match between the NAT'ed blocks and intended available blocks

Add Dynamic Tags to Blocks

After NAT blocks and aggregates have been set up in ProVision with sufficient size, matching IPAM tags, and NAT metadata, you can identify which blocks to use for dynamic rotation by adding the "Dynamic_Base" and "Dynamic_Available" tags.

Go to IPAM Manage and: 

  • Add the IPAM tag "Dynamic_Base" to the /32 block(s) currently NAT'ed. 
  • Add the IPAM tag "Dynamic_Available to the aggregate or blocks which match the NAT'ed blocks, and are available for rotation use. If used on a block larger than the Dynamic_Base block, the available block will be automatically split.

Set up Scheduler Task

Go to  Admin → Scheduler, Add the scheduler task "IPAM - Rotate Dynamic IPs". 

Enter a number for the days to wait (since last configure) until rotation. 

Enter scheduled start / end dates, repeat settings, and click "Save" when complete. 

The scheduled task will look for NAT'ed, /32 "Dynamic_Base" blocks that have last configuration times older than the provided day count, and rotate those IPs to "Dynamic_Available" blocks. Dynamic_Available blocks larger than than the Dynamic_Base block will be automatically split.

Additional Information

For additional information on working with the IPAM system in ProVision, see the following areas:

  • No labels