This article discusses how to configure destination NAT or port forwarding to access services within the intranet in active-active deployments.

Scenario-1:

Active-Active devices are deployed with Transport-1 on VOS A device and Transport-2 on VOS B device at same site. Provide access to services running on this site LAN via Transport-1. 

In below diagram, user connected to MPLS needs to access SSH server in site LAN network via VOS A device MPLS.

Step-1: Lets use workflow to configure inbound NAT as follow by giving name, LAN routing instance, WAN networks, protocols, external IP address in this case it will be MPLS transport(you can parameterize if same template used for multiple devices), external ports, internal address(this will server IP), internal port which is actual port where server will be listening for incoming connections.

Step-2: Configure security access policy to allow this traffic by matching destination IP as internal IP(security policy gets applied for destination NAT for inner IP) and service as needed.

Step-3: Fill variable bind for any parameters configured in template.

Step-4: Commit the template to devices.

Verify connectivity:

root@Client: ~#  ip add | grep "inet "
inet 192.168.86.10/24 brd 192.168.86.255 scope global eth1.102
root@Client:~#

root@Client:~# ssh [email protected]
[email protected]'s password:
..

..
Last login: Tue Mar 11 17:27:48 2025 from 192.168.86.10
versa@Linux-Server:~$

You can check session from monitor dashboard under CGNAT:

Best way to troubleshoot is by telnet to external IP and external port and check if it gets NATed and security policy allows this traffic:

root@Client :~# telnet 192.168.83.10 22
Trying 192.168.83.10...
Connected to 192.168.83.10.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

tcpdump on wan interface and check if these packets made it on WAN:

admin@Spoke3-cli> show interfaces brief vni-0/1.0            
NAME MAC OPER ADMIN TENANT VRF IP
----------------------------------------------------------------------------------------------
vni-0/1.0 52:0a:28:ff:3a:03 up up 1 MPLS-Transport-VR 192.168.83.10/24
192.168.83.254/24
2001:192:168:83::10/24

[ok][2025-03-11 18:41:06]
admin@Spoke3-cli> tcpdump vni-0/1 filter "port 22"
Starting capture on vni-0/1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_1, link-type EN10MB (Ethernet), capture size 2000 bytes
18:41:13.227427 52:0a:28:ff:32:12 > 52:0a:28:ff:3a:03, ethertype IPv4 (0x0800), length 74: 192.168.86.10.45183 > 192.168.83.10.22: Flags [S], seq 2785644000, win 29200, options [mss 1460,sackOK,TS val 3828933927 ecr 0,nop,wscale 7], length 0
18:41:13.227435 52:0a:28:ff:3a:03 > 52:0a:28:ff:32:12, ethertype IPv4 (0x0800), length 74: 192.168.83.10.22 > 192.168.86.10.45183: Flags [S.], seq 4015486482, ack 2785644001, win 28960, options [mss 1460,sackOK,TS val 1813956124 ecr 3828933927,nop,wscale 7], length 0
18:41:13.227438 52:0a:28:ff:32:12 > 52:0a:28:ff:3a:03, ethertype IPv4 (0x0800), length 66: 192.168.86.10.45183 > 192.168.83.10.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 3828933927 ecr 1813956124], length 0
18:41:13.239445 52:0a:28:ff:3a:03 > 52:0a:28:ff:32:12, ethertype IPv4 (0x0800), length 107: 192.168.83.10.22 > 192.168.86.10.45183: Flags [P.], seq 1:42, ack 1, win 227, options [nop,nop,TS val 1813956127 ecr 3828933927], length 41
18:41:13.247421 52:0a:28:ff:32:12 > 52:0a:28:ff:3a:03, ethertype IPv4 (0x0800), length 66: 192.168.86.10.45183 > 192.168.83.10.22: Flags [.], ack 42, win 229, options [nop,nop,TS val 3828933931 ecr 1813956127], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
Stopping capture on vni-0/1
[ok][2025-03-11 18:41:15]
admin@Spoke3-cli>

If packets did not make to interface where external IP is configured, please make sure there is reachability between user and VOS transport IP.

Please note that tcpdump can be done from monitor dashboard under Tools.

tcpdump on LAN interface and check if packets are sent via LAN after destination NAT(dest IP translated to server IP):

admin@Spoke3-cli> show interfaces brief vni-0/3.501
NAME MAC OPER ADMIN TENANT VRF IP
-----------------------------------------------------------------------------------------------
vni-0/3.501 52:0a:28:ff:3a:05 up up 2 Tenant1-LAN-2-VR 172.20.151.10/24
172.20.151.254/24
2001:172:20:151::10/64

[ok][2025-03-11 18:42:33]
admin@Spoke3-cli> tcpdump vni-0/3 filter "port 22"
Starting capture on vni-0/3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on _vni_0_3, link-type EN10MB (Ethernet), capture size 2000 bytes
18:42:48.015424 52:0a:28:ff:3a:05 > 52:0a:28:ff:38:02, ethertype IPv4 (0x0800), length 74: 192.168.86.10.45184 > 172.20.150.50.22: Flags [S], seq 3770852640, win 29200, options [mss 1460,sackOK,TS val 3828957623 ecr 0,nop,wscale 7], length 0
18:42:48.015445 52:0a:28:ff:38:02 > 52:0a:28:ff:3a:05, ethertype IPv4 (0x0800), length 74: 172.20.150.50.22 > 192.168.86.10.45184: Flags [S.], seq 3855181444, ack 3770852641, win 28960, options [mss 1460,sackOK,TS val 1813979820 ecr 3828957623,nop,wscale 7], length 0
18:42:48.015448 52:0a:28:ff:3a:05 > 52:0a:28:ff:38:02, ethertype IPv4 (0x0800), length 66: 192.168.86.10.45184 > 172.20.150.50.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 3828957624 ecr 1813979820], length 0
18:42:48.023425 52:0a:28:ff:38:02 > 52:0a:28:ff:3a:05, ethertype IPv4 (0x0800), length 107: 172.20.150.50.22 > 192.168.86.10.45184: Flags [P.], seq 1:42, ack 1, win 227, options [nop,nop,TS val 1813979823 ecr 3828957624], length 41
18:42:48.031431 52:0a:28:ff:3a:05 > 52:0a:28:ff:38:02, ethertype IPv4 (0x0800), length 66: 192.168.86.10.45184 > 172.20.150.50.22: Flags [.], ack 42, win 229, options [nop,nop,TS val 3828957627 ecr 1813979823], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
Stopping capture on vni-0/3
[ok][2025-03-11 18:42:49]
admin@Spoke3-cli>

If tcpdump on egress interface towards server did not show up packets, check firewall policy is being hit:

Scenario-2:

Active-Active devices are deployed with Internet from service provider A on VOS A device and Internet from service provider B on VOS B device at same site. Provide access to services running on this site LAN via both service provider internet.

In below diagram, user connected to Internet needs to access SSH server in site LAN network via both service provider A internet IP and service provide B internet IP. This is useful in case there is outage of service provider or one of VOS device.

Step-1: Configure inbound NAT in workflow template by choosing internet

BroadBand is name of network. Choose the WAN network name you have configured on your setup for Internet. 

Workflow will generate the configuration for both VOS devices:

Destination NAT config generated for VOS A:

Destination NAT config generated for VOS B:

Repeat Step-2 to Step-4 from previous scenario-1. Only difference with this scenario is, security policy, variable bind data and template commit needs to be done on both VOS A and VOS B devices.

Follow same steps for troubleshooting and verification as explained in previous scenario.

Note: The above guidelines will meet the majority of customer requirements for destination or port forwarding.

To enhance the user experience, you can monitor the health of the WAN IP and resolve Fully Qualified Domain Names (FQDN) to IP addresses based on their reachability. This approach allows users to access the service using a single FQDN, thereby eliminating the need to switch between IPs or FQDNs in response to service provider reachability issues or VOS device outages. This functionality can be implemented using VOS DNS Proxy or other DNS services, such as AWS Route 53.

Additionally, if you establish a BGP peer with your service provider, you can advertise the public IP through both service providers, allowing access to services via a single IP or FQDN, utilizing destination NAT or port forwarding.