You can configure different types of NAT (Network Address Translation) for IPv4 on a tier-0 or tier-1 gateway - NAT firewall settings are used when a traffic flow hits both edge firewall rules and NAT rules.

NAT firewall policy allows you to define whether firewall rules match external or internal IP addresses. Internal addresses are IP addresses assigned to hosts or VMs inside the NSX domain. External addresses are IP addresses assigned to hosts or VMs outside the NSX domain.

Note: If there is a service configured in this NAT rule, the translated_port will be realized on NSX Manager as the destination_port. This means the service will be the translated port while the translated port is used to match the traffic as destination port. If there is no service configured, the port will be ignored.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select Networking > NAT.
  3. Select a gateway from the Gateway dropdown list.
  4. Next to View, select NAT.
  5. Click Add NAT Rule.
  6. Enter a Name.
  7. Select an action.
    Gateway Available Actions
    Tier-1 gateway Available actions are SNAT, DNAT, Reflexive, NO SNAT, and NO DNAT.
    Tier-0 gateway in active-standby mode Available actions are SNAT, DNAT, Reflexive, NO SNAT, and NO DNAT.
    Tier-0 gateway in active-active mode The available action is Reflexive.
  8. Enter a Source. If this text box is left blank, the NAT rule applies to all sources outside of the local subnet.
    Specify an IP address, or an IP address range in CIDR format. For SNAT, NO_SNAT and Reflexive rules, this is a required field and represents the source network of the packets leaving the network.
  9. Enter a Destination.
    Specify an IP address, or an IP address range in CIDR format. For DNAT and NO_DNAT rules, this is a required field and represents the source network of the packets leaving the network. This field is not applicable for Reflexive.
  10. Enter a value for Translated IP.
    Specify an IPv4 address, or an IP address range in CIDR format. If translated IP is less than the match IP for SNAT it will work as PAT.
  11. Toggle Enable to enable the rule.
  12. (Optional) In the Service column, click Set to select services.
    If there is a service interface configured in a NAT rule, translated_port will be realized on NSX Manager as destination_port. This means that the service will be the translated port while the translated port is used to match the traffic as destination port. If there is no service configured, the port will be ignored.
  13. (Optional) Enter a value for Translated Port.
    If there is a service interface configured in a NAT rule, translated_port will be realized on NSX Manager as destination_port. This means that the service will be the translated port while the translated port is used to match the traffic as destination port. If there is no service configured, the port will be ignored.
  14. (Optional) For Apply To, click Set and select objects that this rule applies to.
    The available objects are Tier-0 Gateways, Interfaces, Labels, Service Instance Endpoints, and Virtual Endpoints.
    Note: If you are using NSX Federation and creating a NAT rule from a Global Manager appliance, you can select site-specific IP addresses for NAT. You can apply the NAT rule to any of the following location spans:
    • Do not click Set if you want to use the default option of applying the NAT rule to all locations.
    • Click Set. In the Applied To | New Rule dialog box, select the locations whose entities you want to apply the rule to and then click Apply.
    • Click Set. In the Applied To | New Rule dialog box, select a location and then select Interfaces from the Categories drop-down menu. You can select specific interfaces to which you want to apply the NAT rule.
    • Click Set. In the Applied To | New Rule dialog box, select a location and then select VTI from the Categories drop-down menu. You can select specific VTIs to which you want to apply the NAT rule.
    See Features and Configurations Supported in NSX Federation for more details.
  15. (Optional) Select the NAT firewall policy setting.
    The available firewall settings are:
    • Match External Address - The firewall will be applied to external address of a NAT rule.
      • For SNAT, the external address is the translated source address after NAT is done.
      • For DNAT, the external address is the original destination address before NAT is done.
      • For REFLEXIVE, to egress traffic, the firewall is applied to the translated source address after NAT is done. For ingress traffic, the firewall is applied to the original destination address before NAT is done.
    • Match Internal Address - Indicates the firewall will be applied to internal address of a NAT rule.
      • For SNAT, the internal address is the original source address before NAT is done.
      • For DNAT, the internal address is the translated destination address after NAT is done.
      • For REFLEXIVE, for egress traffic, the firewall is applied to the original source address before NAT is done. For ingress traffic, the firewall is applied to the translated destination address after NAT is done.
    • Bypass - The packet bypasses firewall rules.
  16. (Optional) Toggle the Logging button to enable logging.
  17. (Optional) Specify a priority value.
    A lower value means a higher priority. The default is 0. A No SNAT or No DNAT rule should have a higher priority than other rules.
  18. Click Save.