You can configure NAT and NAT 64 rules on a tier-0 or tier-1 gateway.

NAT64 is a mechanism for translating IPv6 packets to IPv4 packets, and vice versa. NAT 64 allows IPv6-only clients to contact IPv4 servers using unicast UDP, or TCP. NAT64 only allows an IPv6-only client to initiate communications to an IPv4-only server. To perform IPv6-IPv4 translation, binding and session information are saved. NAT64 is stateful.
  • NAT64 is only supported for external IPv6 traffic coming in through the NSX-T edge uplink to the IPv4 server in the overlay.
  • NAT64 supports TCP and UDP, all other protocol type packets are discarded. NAT64 does not support: ICMP, Fragmentation, and IPV6 packets that have extension headers.
Note:

When a NAT64 rule and an inline load balancer are configured on the same edge node, using the NAT64 rule to direct IPV6 packets to the IPv4 inline load balancer is not supported.

For NAT, source NAT (SNAT), destination NAT (DNAT), or reflexive NAT are supported. If a tier-0 gateway is running in active-active mode, you cannot configure SNAT or DNAT because asymmetrical paths might cause issues. You can only configure reflexive NAT (sometimes called stateless NAT). If a tier-0 gateway is running in active-standby mode, you can configure SNAT, DNAT, or reflexive NAT.

You can also disable SNAT or DNAT for an IP address or a range of addresses. If an address has multiple NAT rules, the rule with the highest priority is applied.

Note: DNAT is not supported on a tier-1 gateway where policy-based IPSec VPN is configured.

SNAT configured on a tier-0 gateway's external interface processes traffic from a tier-1 gateway, and from another external interface on the tier-0 gateway.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Networking > NAT.
  3. Select a gateway.
  4. Next to View, select NAT or NAT64.
  5. Click Add NAT Rule or Add NAT 64 Rule.
  6. Enter a Name.
  7. If you are configuring NAT, select an action. For NAT 64, the action is NAT64.
    NAT Option Description
    Tier-1 gateway Available actions are SNAT, DNAT, Reflexive, NO SNAT, and NO DNAT.
    Tier-0 gateway in active-standby mode Available actions are SNAT, DNAT, NO SNAT, and NO DNAT.
    Tier-0 gateway in active-active mode The available action is Reflexive.
  8. Enter a Source. If this text box is left blank, the NAT rule applies to all sources outside of the local subnet.
    Option Description
    NAT Specify an IP address, or an IP address range in CIDR format. For SNAT, NO_SNAT and REFLEXIVE rules, this is a mandatory text box and represents the source network of the packets leaving the network.
    NAT64 Enter an IPv6 address, or an IPv6 CIDR.
  9. (Required) Enter a Destination.
    Option Description
    NAT Specify an IP address, or an IP address range in CIDR format.
    NAT64 Enter an IPv6 address, or an IPv6 address range in CIDR format with the prefix /96. The prefix /96 is supported because the destination IPv4 IP is embedded as the last 4 bytes in the IPv6 address
  10. Enter a value for Translated IP.
    Option Description
    NAT Specify an IPv4 address, or an IP address range in CIDR format.
    NAT64 Specify an IPv4 address, a comma-separated list of IPv4 addresses, or an IPv4 address range. IPV4 CIDR is not supported.
  11. Toggle Enable to enable the rule.
  12. In the Service column, click Set to select services. See Add a Service for more information. For NAT 64, select a pre-defined service or create a user-defined service with TCP or UDP, with the source/destination port as Any, or a specific port.
  13. For Apply To, click Set and select objects that this rule applies to.
    The available objects are Tier-0 Gateways, Interfaces, Labels, Service Instance Endpoints, and Virtual Endpoints.
    Note: If you are using Federation and creating a NAT rule from a Global Manager appliance, you can select site-specific IP addresses for NAT. You can apply the NAT rule to any of the following location spans:
    • Do not click Set if you want to use the default option of applying the NAT rule to all locations.
    • Click Set. In the Apply To dialog box, select the locations whose entities you want to apply the rule to and then select Apply NAT rule to all entities.
    • Click Set. In the Apply To dialog box, select a location and then select Interfaces from the Categories drop-down menu. You can select specific interfaces to which you want to apply the NAT rule.
    See Features and Configurations Supported in Federation for more details.
  14. Enter a value for Translated Port.
  15. Select a firewall setting.
    Option Description
    NAT Available settings are:
    • Match External Address - The packet is processed by firewall rules that match the combination of translated IP address, and translated port.
    • Match Internal Address - The packet is processed by firewall rules that match the combination of original IP address, and original port.
    • Bypass - The packet bypasses firewall rules.
    NAT64 The available setting is Bypass - the packet bypasses firewall rules.
  16. (Optional) Toggle the logging button to enable logging.
  17. Specify a priority value.
    A lower value means a higher priority. The default is 0.
  18. Click Save.