In this blog post, we are going to see how NAT works in NSX-T. Setting up NAT as a service is fairly easy in NSX.
In NSX-T, you can configure NAT on tier-0 and Tier-1 gateways. Both of them have different use cases, in Tier-0 you can only use Reflexive NAT if you like to leverage ECMP to upstream routers as you have to keep Edge nodes in Active-Active configuration. In Active-standby configuration, you can use SNAT and DNAT rules on Tier0 and Tier1 gateways.
Different type of NAT rules:
- Source NAT (SNAT)
- Destination NAT (DNAT)
- Reflexive NAT or Stateless NAT
Here is my topology:
I have enabled NAT on prod-t1-gw and going to create SNAT and DNAT rules on web-ls segment VMs.
Let’s look at external router routes (vyos), I am showing these routes before NAT configuration.
vyos@vyosrouter:~$ sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route C>* 127.0.0.0/8 is directly connected, lo B>* 172.16.2.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53 * via 192.168.200.4, eth2, 13:34:53 B>* 172.16.3.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53 * via 192.168.200.4, eth2, 13:34:53 B>* 172.16.4.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53 * via 192.168.200.4, eth2, 13:34:53 C>* 172.16.10.0/24 is directly connected, eth0 C * 192.168.200.0/24 is directly connected, eth1 C>* 192.168.200.0/24 is directly connected, eth2
Tier 0 routes are shown below:
edge-1(tier0_sr)> get forwarding IPv4 Forwarding Table IP Prefix Gateway IP Type UUID Gateway MAC 100.64.96.0/32 route a886e184-5631-50e2-b534-1f3a7f1d4a8b 100.64.96.0/31 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 127.0.0.1/32 route 112bbaa4-953d-4d6f-b619-96d080e28638 169.254.0.0/24 route f40358da-2bad-4dba-8647-56976c69412a 169.254.0.1/32 route a886e184-5631-50e2-b534-1f3a7f1d4a8b 169.254.0.2/32 route 7d690a58-92fc-502e-a730-6134ff163716 172.16.2.0/24 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 172.16.3.0/24 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 172.16.4.0/24 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 172.16.10.0/24 192.168.200.20 route 03a72d90-1566-4ea0-b0f9-e968b82f6918 00:50:56:bb:44:32 192.168.200.0/24 route 03a72d90-1566-4ea0-b0f9-e968b82f6918 192.168.200.2/32 route 7d690a58-92fc-502e-a730-6134ff163716
Step1: Go to networking and T1 gateways and add edge cluster on prod-t1-gw. Expand Router Advertisement and enable ALL NAT IPs routes. Click on save and close editing.
Step2: Connect web-ls segment to prod-t1-gw and I have two VMs attached to this segment webvm and webvm2.
Step3: Go to Networking > Network Services and NAT. In this section we are going to configure NAT rules on prod-t1-gw uplinks. As a first step choose prod-t1-gw and from View section choose NAT or NAT64, for our demo purposes I am choosing NAT.
Step4: Create SNAT rule with source IP and transalated IP. In my case source IP 172.16.4.5 is associated with webvm connected in web-ls sgment and transalated to 22.214.171.124 when going outbound to any network.
Step5: Create DNAT rule with destination of public IP (consider it for demo) 126.96.36.199 and translated to private 172.16.4.5
Step6: Verify both the rules have been configured successfully. So, just to re-iterate again, these SNAT and DNAT rules have been configured on Tier1 uplinks.
Note: Make sure to advertise NAT IP routes on both Tier1 and Tier0 in Router Advertisement section.
Take putty session of the edge and If see the Tier0 routes, I could see NAT route has been added.
In Tier0, NAT rule has been added:
edge-1(tier0_sr)> get forwarding Wed Jan 20 2021 UTC 07:12:59.563 Logical Router UUID VRF LR-ID Name Type 4eaa9cb3-7c78-433b-92ce-060ab0f309e6 1 1027 SR-T0-Prod-GW SERVICE_ROUTER_TIER0 IPv4 Forwarding Table IP Prefix Gateway IP Type UUID Gateway MAC 188.8.131.52/32 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 02:50:56:56:44:55
In External router, NAT route has been added via BGP.
vyos@vyosrouter:~$ sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route B>* 184.108.40.206/32 [20/0] via 192.168.200.4, eth2, 00:03:45 * via 192.168.200.2, eth2, 00:03:45
At last from my external network (test-machine), I am able to reach 220.127.116.11. This shows that NATing is working fine and I am able to translate to the destination webserver (hosted in web-ls segment)
Webvm traffic goes outside to vyos-testvm (client network) , source IP 172.16.4.5 will be transalated to 18.104.22.168 at Tier-1 uplink. And vyos-testvm will see 22.214.171.124 as the source IP.
Client traffic (vyos-testvm in this case) reaches inbound to 126.96.36.199, its destination IP is transalated to 172.16.4.5 at Tier-1 uplink and then goes to webvm.
I have also tested SNAT and DNAT rules with other segment VMs. I have two other segments db-ls and app-ls. ( See Topology above)
appvm is connected to app-ls and dbvm is connected to db-ls. When I am trying to reach destination IP 188.8.131.52, traffic reaches 172.16.4.5 ( See the ping replies).
So, in this case destination traffic 184.108.40.206 reaches to Tier1-GW where SR is translating this IP address to internal private addess 172.16.4.5 and then routes the destined traffic to webvm through geneve.
Thank you and happy learning!!