If the edge gateway for your vCloud Director organization virtual datacenter has been converted to an advanced edge gateway, you can use the vCloud Director tenant portal to work with that edge gateway's NAT rules. You can create a source NAT (SNAT) rule to change the source IP address from a public to private IP address or the reverse. You can create a destination NAT (DNAT) rule to change the destination IP address from a public to private IP address or the reverse.

About this task

When creating NAT rules, you can specify the original and translated IP addresses by using the following formats:

  • IP address; for example, 192.0.2.0

  • IP address range; for example, 192.0.2.0-192.0.2.24

  • IP address/subnet mask; for example, 192.0.2.0/24

  • any

When you configure an SNAT or a DNAT rule on an edge gateway in the vCloud Director environment, you always configure the rule from the perspective of your organization virtual datacenter. A SNAT rule translates the source IP address of packets sent from an organization virtual datacenter network out to an external network or to another organization virtual datacenter network. A DNAT rule translates the IP address, and optionally the port, of packets received by an organization virtual datacenter network that are coming from an external network or from another organization virtual datacenter network.

Prerequisites

The public IP addresses must have been added to the edge gateway interface on which you want to add the rule. For DNAT rules, the original (public) IP address must have been added to the edge gateway interface and for SNAT rules, the translated (public) IP address must have been added to the interface.

To use the vCloud Director tenant portal to work with an edge gateway's settings, the edge gateway must be converted to an advanced edge gateway. You can do this on the edge gateway in the vCloud Director Web console or from the tenant portal. For details on performing this step from the tenant portal, see Convert an Edge Gateway to an Advanced Edge Gateway.

Procedure

  1. Launch Edge Gateway Services by completing the following steps.
    1. Click Network > Edge Gateway.
    2. Select the edge gateway to edit, and click Configure Services.

      The tenant portal opens Edge Gateway Services.

  2. Click the NAT to view the NAT Rules screen.
  3. Depending on which type of NAT rule you are creating, click + DNAT RULE or + SNAT RULE.

    The rule configuration dialog box displays.

  4. Depending on which type of NAT rule you are creating, complete the following options:

    Destination NAT (DNAT) (outside coming inside)

    Option

    Description

    Applied On

    Select the interface on which to apply the rule.

    Original IP/Range

    This address must be the public IP address of the edge gateway for which you are configuring the DNAT rule. Type the required IP address.

    In the packet being inspected, this IP address or range would be those that appear as the packet's destination IP address. These packet destination addresses are the ones translated by this DNAT rule.

    Protocol

    Select the protocol to which the rule applies. To apply this rule on all protocols, select Any.

    Original Port/Range

    (Optional) Select the port or port range that the incoming traffic uses on the edge gateway to connect to the internal network on which the virtual machines are connected. This selection is not available when the Protocol is set to ICMP or Any.

    ICMP Type

    When you select ICMP (an error reporting and a diagnostic utility used between devices to communicate error information) for Protocol, select the ICMP Type from the drop-down menu. ICMP messages are identified by the type field. By default, the ICMP type is set to any.

    Translated IP/Range

    Type the IP address or a range of IP addresses to which destination addresses on inbound packets will be translated.

    These addresses are the IP addresses of the one or more virtual machines for which you are configuring DNAT so that they can receive traffic from the external network.

    Translated Port/Range

    (Optional) Select the port or port range that inbound traffic is connecting to on the virtual machines on the internal network. These ports are the ones into which the DNAT rule is translating for the packets inbound to the virtual machines.

    Description

    (Optional) Type a description that helps identify what this rule is doing.

    Enabled

    Toggle on to enable this rule.

    Enable logging

    Toggle on to have the address translation performed by this rule logged.

    Source NAT (SNAT) (inside going outside)

    Option

    Description

    Applied On

    Select the interface on which to apply the rule.

    Original Source IP/Range

    Type the original IP address or range of IP addresses to apply to this rule.

    These addresses are the IP addresses of one or more virtual machines for which you are configuring SNATrule so that they can send traffic to the external network.

    Translated Source IP/Range

    This address is always the public IP address of the gateway for which you are configuring the SNAT rule. Type the required IP address.

    Specifies the IP address to which source addresses (the virtual machines) on outbound packets are translated to when they send traffic to the external network.

    Description

    (Optional) Type a description that helps identify what this rule is doing.

    Enabled

    Toggle on to enable this rule.

    Enable logging

    Toggle on to have the address translation performed by this rule logged.

  5. Click Keep to add the rule to the on-screen table.
  6. Repeat the steps to configure additional rules.
  7. When you are finished adding rules, click Save changes to save them to the system.

What to do next

Add corresponding edge gateway firewall rules for the SNAT or DNAT rules you just configured. See Add an Edge Gateway Firewall Rule Using the Tenant Portal.