In this post I’m going to cover the following:
- NAT concepts
- NAT configuration on NSX Edge
Network Address Translation (NAT) concepts
There are two types of NAT rules available within the NSX Edge Gateway
- Source NAT (SNAT): translates a source IP address of outbound packets so that packets appears as originating from a different network
- Use case: translate private (internal) IP addresses into a public IP (globally routable) for all the traffic going outbound coming from the private addresses;
- Destination NAT (DNAT): translates the destination IP address of inbound packets so that packets are delivered to a target address into another network
- Use case: make a private (internal) service available (published) from the outside on a publicly accessible IP address
It’s a fairly simple process to understand, it’s probably easier to implement than to describe it.
NAT configuration on NSX Edge
In the following diagram:
- 172.16.10.0/24, 172.16.20.0/24 and 172.16.30.0/24 could be summarised as the supernet 172.16.0.0/19 (route summarisation is out of scope in this post; if you’re interested and don’t know the subject I suggest you have a read at this Cisco article)
- 172.16.0.0/19 represent the internal, private network
- 192.168.100.4 represents my “public IP address”. Every IP coming from the subnet 172.16.0.0/19 will be translated into 192.168.100.4
- 172.16.10.10 is the private IP of a webserver I want to publish and make it accessible to the outside subnet 192.168.100.0/24 (HQ Access)
- 192.168.100.5 represent the “public” IP address that is going to be translated into 172.16.10.10
SNAT
Select the Edge Gateway > Manage > NAT > Add SNAT rule
From the point of view of the Edge Gateway, the interface is an uplink to the HQ
DNAT
Select the Edge Gateway > Manage > NAT > Add DNAT rule
On DNAT rules it’s also possible to specify port translations (what in the Cisco world is known as PAT), basically a range or source ports can be translated into different destination ports.
10 Trackbacks