Configuring NAT in VMware NSX-T

Setting up NAT in NSX-T is fairly easy but it can be tough to understand as a beginner because you have to be familiar with how NAT policies are structured. Usually in a NAT policy either the source or the destination of the original packet is translated.

Example of Source NAT:

what-is-source-nat
TypeOriginal Packet: SourceOriginal Packet: DestinationService/PortTranslated Packet: SourceTranslated Packet DestinationService/Port
SNAT192.168.20.0/24AnyAny101.1.1.1AnyAny

Source NAT is for outbound traffic e.g. when a client wants to reach the internet.

The original source network will be the private network 192.168.20.0/24. Because private addresses can’t be routed across the internet, they should be translated to public addresses. Only the source is translated and the destination fields should be left empty.

Example of Destination NAT:

what-is-dnat
TypeOriginal Packet: SourceOriginal Packet: DestinationService/PortTranslated Packet: SourceTranslated Packet DestinationService/Port
DNATAny101.1.1.1AnyAny192.168.20.101Any

Destination NAT or DNAT in short is used for when a web-server has to be accessible, port forwarding is a form of DNAT but with specified ports.

The source of the original packet will always be the internet and thus it’s set to ‘any’. The destination of the original packet is your own public address. Only the destination is translated and the source fields should be left empty.

NAT options in NSX-T

NAT can be configured on either T0 or T1 routers and for this demonstration T1 will be used. The T1 adds a lot more flexibility, especially if we have two segments with overlapping networks because it allows us to translate one of the segments.

Depending on the configuration of your T0/T1 gateway different NAT options are available as seen below.

Tier-1 gatewaySNAT, DNAT, Reflexive, NO SNAT, and NO DNAT
Tier-0 gateway in active-standby modeSNAT, DNAT, NO SNAT, and NO DNAT
Tier-0 gateway in active-active modeReflexive

Reflexive (Stateless NAT) can only to be used in active-active high-availability. We do see a few other options such as NO SNAT and NO DNAT. These are usually placed above your original SNAT/DNAT rules because rules are processed from top to down. They are useful when you do not want to perform NAT for a specific source or destination. But in the NSX-T world there’s no option to order NAT policies, so we have to define the priority.

T0/T1 route advertising NAT IP’s

Make sure to check the box “All NAT IP’s”, so that the T1 gateway advertises these addresses to the T0 gateway.

And enable “NAT IP” for the T0 gateway so it’s advertised to the upstream router.

Configuration examples SNAT/DNAT

NSX-T doesn’t allow you to translate the destination when creating a SNAT rule. And of course the source cannot be translated when creating a DNAT rule. The translated source address here can be made up on the fly and that’s because it will be advertised to the T0/upstream router.

Example of SNAT:

Example of DNAT:

I’ve added HTTP as a service and the translated port 80 as an example. There’s no need to specify the ports or services here.

Configuration examples No SNAT/No DNAT

Example of No SNAT:

Assume that there’s one particular source address (192.168.20.105) that we do not want to translate. The translated area is greyed out when selecting the “No SNAT” type to prevent user errors. Make sure to adjust the priority of the rules so that the “No SNAT” policy has a higher priority than the SNAT policy (the lower the value the higher the priority).

Example of No DNAT:

In this example I’ve translated 192.168.20.0/24 to a subnet 101.1.0/24. But there’s one particular address that I do not want to DNAT and that’s 101.1.1.20. Make sure to adjust the priority of the rules so that the “No DNAT” policy has a higher priority than the DNAT policy (the lower the value the higher the priority).

Configuration examples Reflexive NAT

Reflexive NAT, also known as Stateless NAT is basically one-to-one mapping of IP addresses. Each private IP addresses has its own public address assigned to it and hence the terminology 1:1 mapping. This translates the source or the destination. The difference between Stateless NAT and Stateful NAT (DNAT & SNAT) is that Stateful NAT can translate many private IP addresses to a single public address. Often referred to as many-to-one mapping.

Reflexive NAT policies are set up either using single host addresses or network addresses. You can not translate multiple private addresses to a single public address. Only the following can be done: 192.168.20.10 -> 101.1.1.10 OR 192.168.20.0/24 -> 101.1.1.0/24

Subnet example:

Single host example:

If you do consider to do Reflexive NAT on the T0 GW, then make sure that the T0 router advertises the NAT IP’s. Under Route Redistribution check the box ‘NAT IP’.

Also verify that the routes are advertised on the upstream router. We can see that 101.1.1.0/24 is advertised.

 485 total views

Leave a Reply

Your email address will not be published.