NSX for Newbies – Part 10: Network Address Translation (NAT) on NSX

In this post I’m going to cover the following:

  • NAT concepts
  • NAT configuration on NSX Edge

Network Address Translation (NAT) concepts

There are two types of NAT rules available within the NSX Edge Gateway

  • Source NAT (SNAT): translates a source IP address of outbound packets so that packets appears as originating from a different network
    • Use case: translate private (internal) IP addresses into a public IP (globally routable) for all the traffic going outbound coming from the private addresses;
  • Destination NAT (DNAT): translates the destination IP address of inbound packets so that packets are delivered to a target address into another network
    • Use case: make a private (internal) service available (published) from the outside on a publicly accessible IP address

It’s a fairly simple process to understand, it’s probably easier to implement than to describe it.

NAT configuration on NSX Edge

In the following diagram:

  • 172.16.10.0/24, 172.16.20.0/24 and 172.16.30.0/24 could be summarised as the supernet 172.16.0.0/19 (route summarisation is out of scope in this post; if you’re interested and don’t know the subject I suggest you have a read at this Cisco article)
  • 172.16.0.0/19 represent the internal, private network
  • 192.168.100.4 represents my “public IP address”. Every IP coming from the subnet 172.16.0.0/19 will be translated into 192.168.100.4
  • 172.16.10.10 is the private IP of a webserver I want to publish and make it accessible to the outside subnet 192.168.100.0/24 (HQ Access)
  • 192.168.100.5 represent the “public” IP address that is going to be translated into 172.16.10.10

nat diagram

SNAT

Select the Edge Gateway > Manage > NAT > Add SNAT rule

From the point of view of the Edge Gateway, the interface is an uplink to the HQ

DNAT

Select the Edge Gateway > Manage > NAT > Add DNAT rule

On DNAT rules it’s also possible to specify port translations (what in the Cisco world is known as PAT), basically a range or source ports can be translated into different destination ports.

Leave a Comment Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 Trackbacks