Lets face it, the hottest topic in any customer conversation today is SD-WAN. Gone are the days of a customer being tied into an expensive MPLS network, managed by a single provider with lengthy contracts. Customers are now using multiple, carrier agnostic internet links to build a highly resilient network between all their sites, which includes their data centers in Azure, AWS, Google Cloud, etc.

An integral part of this architecture is local internet breakout at remote sites. Users now have the ability to break out to Cloud-based applications locally, whilst being kept secure with the integrated Layer 7 firewall. A key feature of the integrated Firewall is the ability to NAT in and outbound traffic, with either Source NAT or Destination NAT. I want to take a few minutes and go through the Citrix SD-WAN Inbound NAT logic, and explain how this rule is build.

Lets say I’m a client with an FTP and web server at my remote site, and my external users need to access these servers without coming in via a VPN tunnel. I would need to create an Inbound NAT rule, using a public IP configured on the SD-WAN appliance.  In this example I only have a single static public IP, thus I’m using Dynamic NAT with Port forwarding. My external IP is (Randomly selected public IP) and my internal IP’s are for the FTP and for the Web server. In my initial config I’ve created a WAN Interface (VI_INET1) and a LAN Interface (VI_LAN1).

Below are the IP addresses assigned to the interfaces.

Next you have to create the Dynamic NAT rule. The logic behind the rule is first you create the initial section which defines the outbound source NAT rule (Thus direction is outbound). In my example, I’m saying all traffic from LAN subnet will be source Natted to when leaving the SD-WAN appliance on Interface VI_INET1.

To add the port forwarding rules, expand the window by clicking on the +. This is where you define the Inbound NAT rules. These inbound rules will apply for all traffic hitting the external public IP (

More information can by found on docs.citrix.com.