How to configure NAT and enable inbound access on the Riverbed SD-WAN

Many are looking to use edge-gateway devices for more than an SD-WAN endpoint for a multisite deployment. Here's how to use a Riverbed SteelConnect SD-WAN gateway as a NAT device to allow inbound access to public services.

Image: iStock/Natali_Mis

There are many use cases for SD-WAN these days and Riverbed is attempting to answer them with their Steel Connect product line. When I implemented it in our small office in Temecula, California, I wanted to make use of the Steel Connect SDI-130 gateway features as my only edge router. To accomplish this, the gateway not only needed to act as a tunnel endpoint for other sites, but it also needs to allow and control inbound access from the internet to a mail and web server that's onsite. This means the gateway needed to support NAT. Fortunately it does. In this article we will cover how to configure NAT and enable inbound access on the Riverbed SD-WAN solution known as Steel Connect.

Configuring Inbound NAT Rules

The configuration of Static NAT in the Riverbed Steel Connect Manager uses some terminology that was a little different than what you might be used to if you come from the Cisco world. Normally we would configure Static NAT along with an inbound ACL as two separate configurations on the Cisco ASA. In the Riverbed solution we configure an inbound rule but there's a bit more to the setup that configuring the NAT rule. The high-level process is as follows:

  1. Register your server device.
  2. Create a device type application for email. (Only device type applications can be used in NAT rules.)
  3. Create the inbound NAT rule.

Register your Server

In my demo topology, I have an Apple Mac Mini running the server app. The server app has several services that could be enabled, however, in this case we've enabled the email server application. Once that is in place, which I am assuming you have already done, you need to register the the server inside the Steel Connect Manager so that it can be selected in the NAT rule.

Image: Brandon Carroll/TechRepublic

Create a Device Type Application

The next step would be to create a device type application. This is a custom application that you'll use to define the allowed incoming ports. In Riverbed's solution you don't actually write ACL statements to control inbound access. Everything is blocked until you add a rule to permit.

Start by navigating to the list of custom applications:

Image: Brandon Carroll/TechRepublic

And then add the new custom application.

Image: Brandon Carroll/TechRepublic

Note that you need to specify the application type as "device" and the option to limit port numbers. This allows you to enter a list of ports separated by commas. You can access this option under the drop down that is defaulted to "All protocols and ports." Also, you need to select the server device that you registered.

Image: Brandon Carroll/TechRepublic

Define the NAT Rule

Now that you have everything in place you can create the NAT rule. Creating the NAT rule also creates an inbound ACL entry to permit the inbound traffic.

Start by navigating to Rules>Inbound Rules(NAT).

Image: Brandon Carroll/TechRepublic

Next, select the New Inbound Rule button.

Image: Brandon Carroll/TechRepublic

Upon creating the new inbound rule you'll select the Application that you created, the uplink, the mode (DNAT), and you can verify the ports which should auto populate.

Image: Brandon Carroll/TechRepublic

At this point you should have a working inbound NAT rule that would allow email to your server. There are a few things that will need to be cared for outside of this configuration, namely the DNS configuration for the email domain, MX records and so on. Assuming this is all in place, you're ready to go with inbound access to your Riverbed Steel Connect gateway using NAT.

So to verify a bit of this configuration, you can first look at your Apple Server to make sure that it's correctly configured to allowing inbound mail connectivity.

Image: Brandon Carroll/TechRepublic

Finally, send a test message and we've got inbound connectivity through the Riverbed SD-WAN solution.

Image: Brandon Carroll/TechRepublic

Closing Thoughts

This setup was a bit fiddly but mostly because I was using the Apple server for testing. If exchange were used, this would have been much simpler since the ports are well documented. Apple does put out a list of ports that are used, but it's not broken down well. At any rate, the purpose is clearly to illustrate that you can in fact use a Riverbed SD-WAN solution as your primary network gateway and allow inbound access to services.

Also see:
Getting started with Uncomplicated Firewall
How to register an ASA SFR module with the FirePOWER Management Center
How to add an AirPort Express to an AirPort Extreme to extend wireless networks
How to add the L2TP VPN option to NetworkManager in Linux

By Brandon Carroll

Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.