Network address translation (NAT) maps one IP address space to another. You can configure NAT on tier-0 and tier-1 gateways.
The following diagram shows how NAT can be configured.
- Source NAT (SNAT) - translates a source IP address of outbound packets so that packets appear as originating from a different network. Supported on tier-0/tier-1 gateways running in active-standby mode. For one-to-one SNAT, the SNAT translated IP address is not programmed on the loopback port, and there is no forwarding entry with an SNAT translated IP as the prefix. For n-to-one SNAT, the SNAT translated IP address is programmed on the loopback port, and users will see a forwarding entry with an SNAT-translated IP address prefix. NSX-T SNAT is designed to be applied to traffic that egresses the NSX environment.
- Destination NAT (DNAT) - translates the destination IP address of inbound packets so that packets are delivered to a target address into another network. Supported on tier-0/tier-1 gateways running in active-standby mode. NSX-T DNAT is designed to be applied to traffic that ingresses the NSX environment.
- Reflexive NAT - (sometimes called stateless NAT) translates addresses passing through a routing device. Inbound packets undergo destination address rewriting, and outbound packets undergo source address rewriting. It is not keeping a session as it is stateless. Supported on tier-0 gateways running in active-active or active-standby mode, and on tier-1 gateways. Stateful NAT is not supported in active-active mode.
You can also disable SNAT or DNAT for an IP address or a range of addresses (No-SNAT/No-DNAT). If an address has multiple NAT rules, the rule with the highest priority is applied.
- Do not click Set under Apply To if you want the default option of applying the NAT rule to all locations.
- Under Apply To, click Set and select the locations whose entities you want to apply the rule to and then select Apply NAT rule to all entities.
- Under Apply To, click Set, select a location and then select Interfaces from the Categories drop-down menu. You can select specific interfaces to which you want to apply the NAT rule.
- DNAT is not supported on a tier-1 gateway where policy-based IPSec VPN is configured.
- SNAT configured on a tier-0 gateway's external interface processes traffic from a tier-1 gateway, and from another external interface on the tier-0 gateway.
- NAT is configured on the uplinks of the tier-0/tier-1 gateways and processes traffic going through this interface. This means that tier-0 gateway NAT rules will not apply between two tier-1 gateways connected to the tier-0.
NAT Support Matrices
|DNAT||Yes||Yes||* configurable, but not supported||Yes||* configurable, but not supported|