Starting with VMware Cloud Director 10.5.1, you can configure NAT rules on your provider gateway that uses IP spaces.
Prerequisites
- Verify that you are a system administrator or that your role includes the Provider Gateway NAT: View and the Provider Gateway NAT: Manage rights.
- Verify that the provider gateway is using IP spaces.
- Verify that the provider gateway is private, which means that it is dedicated to a single orgnization.
- Verify that the backing NSX tier-0 router is in active-standby mode. Otherwise, you won't be able to set the NAT and Firewall Service Intentions of the provider gateway to Provider Gateways or to Provider and Edge Gateways.
- Verify that you configured the NAT and firewall topology intention for the provider gateway to Provider Gateways or to Provider and Edge Gateways. See Configure Route Advertisement Topology Intentions on a Provider Gateway in the VMware Cloud Director Service Provider Admin Portal.
Procedure
- From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
- From the secondary left panel, select Provider Gateways.
- Click the provider gateway.
- Under Services, click NAT.
- To add a NAT rule, click New.
- Enter a name and, optionally, a description for the rule.
- From the drop-down menu, select a NAT action and enter the required info.
Action |
Description |
Settings |
SNAT |
Translates a source IP address of outbound packets so that packets appear as originating from a different network. |
- Enter an external IP address or a CIDR notation.
- (Optional) Enter an internal IP address or a CIDR notation.
- Enter a destination IP address or CIDR notation.
This field is only applicable for SNAT and NO SNAT rules. If you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address list. If you leave this text box blank, the rule applies to all destinations outside of the local subnet.
|
NO SNAT |
Turn off source NAT. |
- Enter an external IP address or a CIDR notation.
- (Optional) Enter a destination IP address or CIDR notation.
|
DNAT |
Translates the destination IP address of inbound packets so that packets are delivered to a target address into another network. |
- Enter an internal IP address or a CIDR notation.
- (Optional) Enter an external port.
- Enter an internal IP address or a CIDR notation.
- From the drop-down menu, select a specific application port profile to which to apply the rule.
The application port profile includes a port and a protocol that the incoming traffic uses on the edge gateway to connect to the internal network.
|
NO DNAT |
Turn off destination NAT. |
- Enter an external IP address or a CIDR notation.
- (Optional) Enter an external port.
|
Reflexive |
Translates addresses passing through a routing device. Inbound packets undergo destination address rewriting, and outbound packets undergo source address rewriting. |
- Enter an external IP address or a CIDR notation.
- Enter an internal IP address or a CIDR notation.
|
- (Optional) Click Advanced Settings.
- To disable the rule upon creation, toggle off the State option.
This option is enabled by default.
- To enable logging, toggle on the Logging option.
- Enter a number to indicate the rule priority.
If multiple NAT rules exist for the same IP address, the rule with the highest priority is applied to it. A lower value means a higher precedence for this rule.
- From the drop-down menu, select how to expose the traffic that is subject to the NAT rule to the provider gateway firewall.
Option |
Description |
Match Internal Address |
Apply the firewall to the internal address of the NAT rule. For SNAT, the internal address is the original source address before NAT is done. For DNAT, the internal address is the translated destination address after NAT is done. |
Match External Address |
Apply the firewall to the external address of the NAT rule. For SNAT, the external address is the translated source address after NAT is done. For DNAT, the external address is the original destination address before NAT is done. |
Bypass |
Bypass the firewall. |
- From the drop-down menu, select an IP space uplink to which to apply the rule.
Note: If you haven't associated any of the provider gateway interfaces to the IP space uplink that you select, the NAT rule applies to all of the provider gateway interfaces.
- Click Save.