The routing approach relies on upstream traffic being directed (or diverted) to the NAT function based on the destination-prefix command in the config>service>vprn/router>nat>inside CLI context. In other words, the upstream traffic is NAT’d only if it matches a preconfigured destination IP prefix. The destination-prefix command creates a static route in the routing table of the inside routing context. This static route diverts all traffic with the destination IP address that matches the created entry, toward the MS-ISA. The NAT function itself is performed when the traffic is in the correct context in the MS-ISA.
The CLI for multiple NAT policies per inside routing context with routing based diversion to NAT is the following:
service vprn/router
nat
inside
destination-prefix <ip-prefix/length> nat-policy <policy-name>]
:
:
or, for example:
service vprn/router
nat
inside
destination-prefix 10.20.10.0/24 nat-policy policy-1
destination-prefix 10.30.30.0/24 nat-policy policy-1
destination-prefix 10.40.40.0/24 nat-policy policy-2
Different destination prefixes can reference a single NAT policy (policy-1 in this case).
In case that the destination-policy does not directly reference the NAT policy, the default NAT policy is used. The default NAT policy is configured directly in the vprn/router>nat>inside context.
After the destination-prefix command referencing the NAT policy is configured, an entry in the routing table is created that directs the traffic to the MS-ISA.