Open shihhsien-wang opened 4 years ago
Please add "nat" label
@AkhileshSamineni, please update the analysis here.
Hi,
The native NAT tables on Broadcom Silicon match only destination IP address OR source IP address but not both. These NAT lookup tables do not provide a means to match both Destination IP and Source IP (incase of TWICE NAT).
So, the current behavior is expected and is a limitation. There is an alternative to use ACL rules (instead of native NAT lookups) to achieve TWICE NAT, but that is not preferred as it impacts other ACL based applications.
Description
It should receive a packet whose source and destination IP addresses are both match to the twice NAT/NAPT confgiuration, and then twice NAT/NAPT are able to apply on the packets. In our test, not only the packets whose source and destination IP addresses are both match to the configuration will be NAT translated, but also the packets whose destination IP address only is match to the configuration be NAT translated.
Steps to reproduce the issue:
Configuration:
Topology:
Packets injected from PC1:
Describe the results you received:
Packets received at PC2:
Both packet A and B with same desitnation IP address but not same source IP address are NAT translated into same source IP address and destination IP addresses.
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Note: another case (dynamic SNAT and static SNAT in same 'twice_nat_id' group) has same problem.