Network Address Translation (NAT)

Network address translation (NAT) maps one IP address space to another. You can configure NAT on tier-0 and tier-1 gateways.

The following types of NAT are supported, in addition to NAT64:

Source NAT (SNAT) - translates a source IP address of outbound packets so that packets appears as originating from a different network. Supported on tier-0/tier-1 gateways running in active-standby mode. For one-to-one SNAT, the SNAT translated IP address is not programmed on the loopback port, and there is no forwarding entry with an SNAT translated IP as the prefix. For n-to-one SNAT, the SNAT translated IP address is programmed on the loopback port, and users will see a forwarding entry with an SNAP translated IP address prefix.
Desination NAT (DNAT - translates the destination IP address of inbound packets so that packets are delivered to a target address into another network. Supported on tier-0/tier-1 gateways running in active-standby mode.
Reflexive NAT - (sometimes called stateless NAT) translates addresses passing through a routing device. Inbound packets undergo destination address rewriting, and outbound packets undergo source address rewriting. It is not keeping a session as it is stateless. Supported on tier-0 gateways running in active-active mode. Stateful NAT is not supported in active-active mode.

You can also disable SNAT or DNAT for an IP address or a range of addresses. If an address has multiple NAT rules, the rule with the highest priority is applied.

Note: DNAT is not supported on a tier-1 gateway where policy-based IPSec VPN is configured.

SNAT configured on a tier-0 gateway's external interface processes traffic from a tier-1 gateway, and from another external interface on the tier-0 gateway.

Note: NAT is configured on the uplinks of the tier-0/tier-1 gateways and processes traffic going through this interface. This implies that tier-0 gateway NAT rules will not apply between two tier-1 gateways connected to the tier-0.

NAT64 is a mechanism for translating IPv6 packets to IPv4 packets, and vice versa. NAT 64 allows IPv6-only clients to contact IPv4 servers using unicast UDP, or TCP. NAT64 only allows an IPv6-only client to initiate communications to an IPv4-only server. To perform IPv6-IPv4 translation, binding and session information are saved. NAT64 is stateful.

NAT64 is only supported for external IPv6 traffic coming in through the NSX-T edge uplink to the IPv4 server in the overlay.
NAT64 supports TCP and UDP, all other protocol type packets are discarded. NAT64 does not support: ICMP, Fragmentation, and IPV6 packets that have extension headers.

Note: When a NAT64 rule and an inline load balancer are configured on the same edge node, using the NAT64 rule to direct IPV6 packets to the IPv4 inline load balancer is not supported.