Access control lists (ACLs) are used by internet services to determine which IP addresses are granted access to a system resource.
When connected to a PoP, your internet traffic may use any of the PoP's external IP addresses for NAT. When an ACL is used, to ensure access to the PoP is maintained, the NAT IP address must remain static and not shared with other Cato customers.
Egress rules allow you to NAT specific traffic with a static public IP address. The IP address is available for use by your account only and does not change (unless you change it yourself).
Egress rules are created by first selecting the IP address(s) you want to NAT and then creating the egress rule.
If necessary, create an Egress Rule for only one device, or specific devices on a network, and configure hosts for the devices.
Select the Cato-allocated public IP address you want to translate with NAT in the egress rule. If you need additional IP addresses, contact your reseller or sales engineer.
To select the IP address to use in the egress rule:
-
From the navigation menu, click Network > IP Allocation.
-
From the drop-down menu, select the PoP location that you are allocating an IP address. The IP address is automatically supplied.
-
Click Save.
When you are egressing traffic for a specific number of devices, configure the hosts behind the relevant site.
To create a host for one or more devices:
-
From the navigation menu, click Network > Sites > [Site Name] > Site Configuration > Hosts.
-
Click New.
-
Enter the Name for the device.
-
Enter the IP address of the device.
-
If you are using Cato for DHCP, under MAC, enter the MAC address. This will create a DHCP reservation for the computer.
Note: If you are not using Cato DHCP, make sure the source computer has a static IP or DHCP reservation in the local DHCP server. If the IP address of the device changes, the egress rule does not work.
-
Click Apply, and then click Save.
Create a network rule to define the traffic that you are egressing to the Cato public IP address.
When you assign multiple egress IPs to a rule, the IP address closest to the source of the traffic is the primary IP address for egressing the traffic. If the primary IP isn't available for any reason, then the IP for the PoP location is the next closest to the source used (and so on).
To create an egress rule:
-
From the navigation menu, click Network > Network Rules.
-
Click New.
-
In the General section, enter the Name, and the Rule Order of the egress rule.
-
Under the Rule Type drop-down, select Internet.
-
In the Source section, select the source of the traffic the egress rule applies to.
-
In the App/Category section, select the traffic type the egress rule applies to.
-
In the Configuration section, under Routing Method, select NAT.
-
Under Allocated IPs, select the IP address(es) to egress the traffic to.
-
Click Apply, and then click Save.
Question: When there is a network rule configured with an egress NAT IP, is there a limit of 64K concurrent flows for each egress IP address (assuming that each flow consumes a single TCP/UDP port)?
Answer: No. For each egress IP address, the PoP creates a unique NAT translation entry for every four-tuple hash (SRC IP, SRC port, DEST IP, and DEST port). This means that the 64K concurrent flows limit applies to each pair (ie. source IP, destination IP). For example, if two LAN hosts communicate with two public destinations using destination port TCP/443, the PoP can allocate up to 128K ports to support the concurrent flows (64K ports for each SRC/DST IP and SRC/DST port).
3 comments
For availability, consider multiple IP address in your NAT and Route rule. We've lost connectivity when our Cato socket fails to another site and therefore a single IP at the failed site is not available until it comes back online.
There's no egress rule option under the global settings.
Rules are under Networking | Network Rules
Can this define exactly what is matched under the various categories and for what protocols.
Please sign in to leave a comment.