Configure NAT on a Gateway

You can configure NAT and NAT 64 rules on a tier-0 or tier-1 gateway.

Note:

If there is a service configured in this NAT rule, the translated_port will be realized on NSX Manager as the destination_port. This means the service will be the translated port while the translated port is used to match the traffic as destination port. If there is no service configured, the port will be ignored

Procedure

From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
Select Networking > NAT.
Select a gateway.
Next to View, select NAT or NAT64.
Click Add NAT Rule or Add NAT 64 Rule.
Enter a Name.

If you are configuring NAT, select an action. For NAT 64, the action is NAT64.

NAT Option	Description
Tier-1 gateway	Available actions are SNAT, DNAT, Reflexive, NO SNAT, and NO DNAT.
Tier-0 gateway in active-standby mode	Available actions are SNAT, DNAT, NO SNAT, and NO DNAT.
Tier-0 gateway in active-active mode	The available action is Reflexive.

Enter a Source. If this text box is left blank, the NAT rule applies to all sources outside of the local subnet.

Option	Description
NAT	Specify an IP address, or an IP address range in CIDR format. For SNAT, NO_SNAT and REFLEXIVE rules, this is a mandatory text box and represents the source network of the packets leaving the network.
NAT64	Enter an IPv6 address, or an IPv6 CIDR.

(Required) Enter a Destination.

Option	Description
NAT	Specify an IP address, or an IP address range in CIDR format.
NAT64	Enter an IPv6 address, or an IPv6 address range in CIDR format with the prefix /96. The prefix /96 is supported because the destination IPv4 IP is embedded as the last 4 bytes in the IPv6 address

Enter a value for Translated IP.

Option	Description
NAT	Specify an IPv4 address, or an IP address range in CIDR format.
NAT64	Specify an IPv4 address, a comma-separated list of IPv4 addresses, or an IPv4 address range. IPV4 CIDR is not supported.

Toggle Enable to enable the rule.
In the Service column, click Set to select services. See Add a Service for more information. For NAT 64, select a pre-defined service or create a user-defined service with TCP or UDP, with the source/destination port as Any, or a specific port.
For Apply To, click Set and select objects that this rule applies to.
The available objects are Tier-0 Gateways, Interfaces, Labels, Service Instance Endpoints, and Virtual Endpoints.
Note: If you are using NSX Federation and creating a NAT rule from a Global Manager appliance, you can select site-specific IP addresses for NAT. You can apply the NAT rule to any of the following location spans:
- Do not click Set if you want to use the default option of applying the NAT rule to all locations.
- Click Set. In the Apply To dialog box, select the locations whose entities you want to apply the rule to and then select Apply NAT rule to all entities.
- Click Set. In the Apply To dialog box, select a location and then select Interfaces from the Categories drop-down menu. You can select specific interfaces to which you want to apply the NAT rule.
See Features and Configurations Supported in Federation for more details.
Enter a value for Translated Port.

Select a firewall setting.

Option	Description
NAT	Available settings are: Match External Address - The packet is processed by firewall rules that match the combination of translated IP address, and translated port. For SNAT, the external address is the translated source address after NAT is done. For DNAT, the external address is the original destination address before NAT is done. For REFLEXIVE, to egress traffic, the firewall is applied to the translated source address after NAT is done. For ingress traffic, the firewall is applied to the original destination address before NAT is done. Match Internal Address - The packet is processed by firewall rules that match the combination of original IP address, and original port. For SNAT, the internal address is the original source address before NAT is done. For DNAT, the internal address is the translated destination address after NAT is done. For REFLEXIVE, for egress traffic, the firewall is pplied to the original source address before NAT is done. For ingress traffic, the firewall is applied to the translated destination address after NAT is done. Bypass - The packet bypasses firewall rules.
NAT64	The available setting is Bypass - the packet bypasses firewall rules.

Option

Description

NAT

Available settings are:

Match External Address - The packet is processed by firewall rules that match the combination of translated IP address, and translated port.
- For SNAT, the external address is the translated source address after NAT is done.
- For DNAT, the external address is the original destination address before NAT is done.
- For REFLEXIVE, to egress traffic, the firewall is applied to the translated source address after NAT is done. For ingress traffic, the firewall is applied to the original destination address before NAT is done.
Match Internal Address - The packet is processed by firewall rules that match the combination of original IP address, and original port.
- For SNAT, the internal address is the original source address before NAT is done.
- For DNAT, the internal address is the translated destination address after NAT is done.
- For REFLEXIVE, for egress traffic, the firewall is pplied to the original source address before NAT is done. For ingress traffic, the firewall is applied to the translated destination address after NAT is done.
Bypass - The packet bypasses firewall rules.

NAT64

The available setting is Bypass - the packet bypasses firewall rules.

(Optional) Toggle the logging button to enable logging.
Specify a priority value.
A lower value means a higher priority. The default is 0.
Click Save.