VMware Aria Operations for Networks supports Static NAT (SNAT), Dynamic NAT (DNAT), reflexive rules in the flows, and the VM-VM Path for NSX-V, NSX-T Edges, Fortinet, and Check Point.
The NAT flow support in VMware Aria Operations for Networks is as follows:
- VMware Aria Operations for Networks supports the nested NAT hierarchy for NSX for vSphere and NSX-T, and for physical devices, VMware Aria Operations for Networks supports the single hierarchy (DNAT) for Fortinet only.
- VMware Aria Operations for Networks supports the edges and the tier routers with NAT-defined uplinks.
Note: The NAT rules on the NSX Edge version 5.5 or the previous versions are not supported.
- VMware Aria Operations for Networks supports SNAT rules with range. However, DNAT must be one-to-one mapping between the destination and translated IP addresses (Parity with NSX for vSphere).
- For Check Point, NAT rules both auto or manually generated are supported for both the source and the destination as network, network-group, or address-range.
To view NAT rules, use the following queries:
- To view all the NAT rules in NSX-T, use the
NSX-T Edge NAT Rulequery.
- To view all the NAT rules NSX-V, use the Edge NAT Rules query.
- To view all the NAT rules in Fortinet, use the Fortinet NAT Rule query.
- To view all the NAT rules in Check Point, use the Check Point NAT Rule query.
- To view all the NAT rules, use the NAT Rule query.
- VMware Aria Operations for Networks does not support the following use cases:
- In NSX-T, NAT rules can be applied at the service level. For example, in NSX-T, L4 ports set is a type of service and the associated protocols can be TCP or UDP. So in the VM-VM path, the service level details are not supported.
- Any port level translation is not supported.
- The SNAT match destination address and the DNAT match source address are not supported. Use the SNAT match destination address as the destination IP address when you specify the SNAT rule. Use the DNAT match source address as the source IP address when you specify the DNAT rule. For example, if there is a destination IP address mentioned in the SNAT rule, VMware Aria Operations for Networks applies the SNAT rule irrespective of whether the packet has the destination address as the destination IP address.
- NSX-T Edge firewall has implications for the data path when enabled with the NAT service on the same logical router. If a flow matches both NAT and Edge firewall, the NAT lookup result takes precedence over firewall. So the firewall is not applied to that flow. If the flow matches only a firewall rule, then the firewall lookup result is honored for that flow.
- Service translation is not supported.
- vSEC NAT is not supported.