NSX for Newbies – Part 10: Network Address Translation (NAT) on NSX

In this post I’m going to cover the following:

  • NAT concepts
  • NAT configuration on NSX Edge

Network Address Translation (NAT) concepts

There are two types of NAT rules available within the NSX Edge Gateway

  • Source NAT (SNAT): translates a source IP address of outbound packets so that packets appears as originating from a different network
    • Use case: translate private (internal) IP addresses into a public IP (globally routable) for all the traffic going outbound coming from the private addresses;
  • Destination NAT (DNAT): translates the destination IP address of inbound packets so that packets are delivered to a target address into another network
    • Use case: make a private (internal) service available (published) from the outside on a publicly accessible IP address

It’s a fairly simple process to understand, it’s probably easier to implement than to describe it.

NAT configuration on NSX Edge

In the following diagram:

  •, and could be summarised as the supernet (route summarisation is out of scope in this post; if you’re interested and don’t know the subject I suggest you have a read at this Cisco article)
  • represent the internal, private network
  • represents my “public IP address”. Every IP coming from the subnet will be translated into
  • is the private IP of a webserver I want to publish and make it accessible to the outside subnet (HQ Access)
  • represent the “public” IP address that is going to be translated into

nat diagram


Select the Edge Gateway > Manage > NAT > Add SNAT rule

From the point of view of the Edge Gateway, the interface is an uplink to the HQ


Select the Edge Gateway > Manage > NAT > Add DNAT rule

On DNAT rules it’s also possible to specify port translations (what in the Cisco world is known as PAT), basically a range or source ports can be translated into different destination ports.

Be sociable, share!Tweet about this on Twitter
Share on LinkedIn
Share on Facebook
Email this to someone


 Add your comment
  1. Great writeup and diagram. This is great training for those new to NAT.

  2. Great post with good diagram. It helps a lot to me.

  3. Does the DNAT have to be one to one? Is there any problems for NSX Netflow on this North-South traffic? Thanks!

  4. Hi Giuliano, great job. I cannot find out how the two ip addresses and are routed to the edge. Is it static routing in the L3 core ?

  5. Hello Giuliano,

    Great guide and very useful and well made! I had a question, for the PAT rules, how would you specify rules to allow RDP access to 2 VMs using the same public IP?

    Would you state in the DNAT rule the source port for example being: 1000 and translated port being 3389? and for the other VM source port 1001 and translated port 3389?

    What would the firewall rules need to be? would the firewall have to specify the ports 1000 and 1001?

    Would be great to understand how that works 🙂

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.