Destination NAT changes the destination address in IP header of a packet. It can also change the destination port in the TCP/UDP headers. The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.

You can create a rule to either enable or disable destination NAT.

In this example, as packets are received from the app VM, the Tenant2NAT tier-1 router changes the destination IP address of the packets from to Having a public destination IP address enables a destination inside a private network to be contacted from outside of the private network.



  1. With admin privileges, log in to NSX Manager.
  2. Select Networking > Tier-1 Logical Routers.
  3. Click a tier-1 logical router on which you want to configure NAT.
  4. Select Services > NAT.
  5. Click ADD.
  6. Specify a priority value.
    A lower value means a higher precedence for this rule.
  7. For Action, select DNAT to enable destination NAT, or NO_DNAT to disable destination NAT.
  8. Select the protocol type.
    By default, Any Protocol is selected.
  9. (Optional) For Source IP, specify an IP address or an IP address range in CIDR format.
    If you leave Source IP blank, the NAT applies to all sources outside of the local subnet.
  10. For Destination IP, specify an IP address or a comma-separated IP address list.
    In this example, the destination IP address is
  11. If Action is DNAT, for Translated IP, specify an IP address or an IP address range in CIDR format.
    In this example, the inside/translated IP address is
  12. (Optional) If Action is DNAT, for Translated Ports, specify the translated ports.
  13. (Optional) For Applied To, select a router port.
  14. (Optional) Set the status of the rule.
    The rule is enabled by default.
  15. (Optional) Change the logging status.
    Logging is disabled by default.
  16. (Optional) Change the firewall bypass setting.
    The setting is enabled by default.


The new rule is listed under NAT. For example:

NSX Manager showing NAT information

What to do next

Configure the tier-1 router to advertise NAT routes.

To advertise the NAT routes upstream from the tier-0 router to the physical architecture, configure the tier-0 router to advertise tier-1 NAT routes.