You can configure NAT and NAT 64 rules on a tier-0 or tier-1 gateway.
Note: In NSX-T Data Center 3.1 and later, if there is a service interface configured in this NAT rule, the translated_port will be realized on NSX Manager as the destination_port. This means the service will be the translated port while the translated port is used to match the traffic as destination port. If there is no sevice configured, the port will be ignored.
- From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Select .
- Select a gateway.
- Next to View, select NAT or NAT64.
- Click Add NAT Rule or Add NAT 64 Rule.
- Enter a Name.
- If you are configuring NAT, select an action. For NAT 64, the action is NAT64.
NAT Option Description Tier-1 gateway Available actions are SNAT, DNAT, Reflexive, NO SNAT, and NO DNAT. Tier-0 gateway in active-standby mode Available actions are SNAT, DNAT, NO SNAT, and NO DNAT. Tier-0 gateway in active-active mode The available action is Reflexive.
- Enter a Source. If this text box is left blank, the NAT rule applies to all sources outside of the local subnet.
Option Description NAT Specify an IP address, or an IP address range in CIDR format. For SNAT, NO_SNAT and REFLEXIVE rules, this is a mandatory text box and represents the source network of the packets leaving the network. NAT64 Enter an IPv6 address, or an IPv6 CIDR.
- (Required) Enter a Destination.
Option Description NAT Specify an IP address, or an IP address range in CIDR format. NAT64 Enter an IPv6 address, or an IPv6 address range in CIDR format with the prefix /96. The prefix /96 is supported because the destination IPv4 IP is embedded as the last 4 bytes in the IPv6 address
- Enter a value for Translated IP.
Option Description NAT Specify an IPv4 address, or an IP address range in CIDR format. NAT64 Specify an IPv4 address, a comma-separated list of IPv4 addresses, or an IPv4 address range. IPV4 CIDR is not supported.
- Toggle Enable to enable the rule.
- In the Service column, click Set to select services. See Add a Service for more information. For NAT 64, select a pre-defined service or create a user-defined service with TCP or UDP, with the source/destination port as Any, or a specific port.
- For Apply To, click Set and select objects that this rule applies to.
The available objects are Tier-0 Gateways, Interfaces, Labels, Service Instance Endpoints, and Virtual Endpoints.Note: If you are using NSX Federation and creating a NAT rule from a Global Manager appliance, you can select site-specific IP addresses for NAT. You can apply the NAT rule to any of the following location spans:
- Do not click Set if you want to use the default option of applying the NAT rule to all locations.
- Click Set. In the Apply To dialog box, select the locations whose entities you want to apply the rule to and then select Apply NAT rule to all entities.
- Click Set. In the Apply To dialog box, select a location and then select Interfaces from the Categories drop-down menu. You can select specific interfaces to which you want to apply the NAT rule.
- Enter a value for Translated Port.
- Select a firewall setting.
Option Description NAT Available settings are:
- Match External Address - The packet is processed by firewall rules that match the combination of translated IP address, and translated port.
- Match Internal Address - The packet is processed by firewall rules that match the combination of original IP address, and original port.
- Bypass - The packet bypasses firewall rules.
NAT64 The available setting is Bypass - the packet bypasses firewall rules.
- (Optional) Toggle the logging button to enable logging.
- Specify a priority value.
A lower value means a higher priority. The default is 0.
- Click Save.