The NAT flow support in Network Insight is as follows:

  • Currently, Network Insight supports SNAT, DNAT, reflexive rules in the flows and the VM to VM Path for the NSX-V and NSX-T edges only.

  • To obtain all the NAT rules in NSX-T, use the NSX-T Edge NAT Rule query. To obtain all the NAT rules in both NSX-V and NSX-T, use the NAT Rules query.

  • Only the NAT rules that are configured on the uplink interface of the VMware NSX-T Tier router are processed by the VM to VM path. If NAT is configured on any NSX-T Tier router, then it is expected that there are NAT rules for all the VMs attached to the router else the VM to VM path and the path to Internet does not work. Instead, it displays a missing rule message.

  • Network Insight supports the nested NAT hierarchy.

  • Network Insight supports the edges and the tier routers with NAT-defined uplinks.

  • Network Insight supports SNAT rules with range. However, DNAT must be one-to-one mapping between the destination and translated IP addresses (Parity with NSX-V).

  • Network Insight does not support the following use cases:

    1. In NSX-T, NAT rules can be applied at the service level. For example, in NSX-T, L4 ports set is a type of service and the associated protocols can be TCP or UDP. So in the VM-VM path, the service level details are not supported.

    2. Any port level translation is not supported.

    3. The SNAT match destination address and the DNAT match source address are not supported. Use the SNAT match destination address as the destination IP address when you specify the SNAT rule. Use the DNAT match source address as the source IP address when you specify the DNAT rule. For example, if there is a destination IP address mentioned in the SNAT rule, Network Insight applies the SNAT rule irrespective of whether the packet has the destination address as the destination IP address.