You can create a source NAT (SNAT) rule to change the source IP address from a public to private IP address or the reverse. You can create a destination NAT (DNAT) rule to change the destination IP address from a public to private IP address or the reverse.

When creating NAT rules, you can specify the original and translated IP addresses by using the following formats:

  • IP address; for example, 192.0.2.0
  • IP address range; for example, 192.0.2.0-192.0.2.24
  • IP address/subnet mask; for example, 192.0.2.0/24
  • any

When you configure a SNAT or a DNAT rule on an edge gateway in the VMware Cloud Director environment, you always configure the rule from the perspective of your organization virtual data center. A SNAT rule translates the source IP address of packets sent from an organization virtual data center network out to an external network or to another organization virtual data center network. A DNAT rule translates the IP address, and optionally the port, of packets received by an organization virtual data center network that are coming from an external network or from another organization virtual data center network.

Prerequisites

The public IP addresses must have been added to the NSX Data Center for vSphere edge gateway interface on which you want to add the rule. For DNAT rules, the original (public) IP address must have been added to the edge gateway interface and for SNAT rules, the translated (public) IP address must have been added to the interface.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Click the NAT to view the NAT Rules screen.
  3. Depending on which type of NAT rule you are creating, click DNAT Rule or SNAT Rule.
  4. Configure a Destination NAT rule (outside coming inside).
    Option Description
    Applied On Select the interface on which to apply the rule.
    Original IP/Range

    Type the required IP address or select the allocated IP address from the list.

    This address must be the public IP address of the edge gateway for which you are configuring the DNAT rule. In the packet being inspected, this IP address or range would be those that appear as the destination IP address of the packet. These packet destination addresses are the ones translated by this DNAT rule.

    Protocol Select the protocol to which the rule applies. To apply this rule on all protocols, select Any.
    Original Port (Optional) Select the port or port range that the incoming traffic uses on the edge gateway to connect to the internal network on which the virtual machines are connected. This selection is not available when the Protocol is set to ICMP or Any.
    ICMP Type When you select ICMP (an error reporting and a diagnostic utility used between devices to communicate error information) for Protocol, select the ICMP Type from the drop-down menu.

    ICMP messages are identified by the type field. By default, the ICMP type is set to any.

    Translated IP/Range Type the IP address or a range of IP addresses to which destination addresses on inbound packets will be translated.

    These addresses are the IP addresses of the one or more virtual machines for which you are configuring DNAT so that they can receive traffic from the external network.

    Translated Port (Optional) Select the port or port range that inbound traffic is connecting to on the virtual machines on the internal network. These ports are the ones into which the DNAT rule is translating for the packets inbound to the virtual machines.
    Source IP address If you want the rule to apply only for traffic from a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this text box blank, the DNAT rule applies to all IP addresses that are in the local subnet.
    Source Port (Optional) Enter a port number for the source.
    Description (Optional) Enter a meaningful description for the DNAT rule.
    Enabled Toggle on to activate this rule.
    Enable logging Toggle on to have the address translation performed by this rule logged.
  5. Configure a Source NAT rule (inside going outside).
    Option Description
    Applied On Select the interface on which to apply the rule.
    Original Source IP/Range Type the original IP address or range of IP addresses to apply to this rule, or selet the allocated IP address from the list.

    These addresses are the IP addresses of one or more virtual machines for which you are configuring the SNAT rule so that they can send traffic to the external network.

    Translated Source IP/Range Type the required IP address.

    This address is always the public IP address of the gateway for which you are configuring the SNAT rule. Specifies the IP address to which source addresses (the virtual machines) on outbound packets are translated to when they send traffic to the external network.

    Destination IP Address (Optional) If you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this text box blank, the SNAT rule applies to all destinations outside of the local subnet.
    Destination Port (Optional) Enter a port number for the destination.
    Description (Optional) Enter a meaningful description for the SNAT rule.
    Enabled Toggle on to activate this rule.
    Enable logging Toggle on to have the address translation performed by this rule logged.
  6. Click Keep to add the rule to the on-screen table.
  7. Repeat the steps to configure additional rules.
  8. Click Save changes to save the rules to the system.

What to do next

Add corresponding edge gateway firewall rules for the SNAT or DNAT rules you just configured. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.