Configuring NAT services in NSX-T

In this blog post, we are going to see how NAT works in NSX-T. Setting up NAT as a service is fairly easy in NSX.

In NSX-T, you can configure NAT on tier-0 and Tier-1 gateways. Both of them have different use cases, in Tier-0 you can only use Reflexive NAT if you like to leverage ECMP to upstream routers as you have to keep Edge nodes in Active-Active configuration. In Active-standby configuration, you can use SNAT and DNAT rules on Tier0 and Tier1 gateways.

Different type of NAT rules:

  • Source NAT (SNAT)
  • Destination NAT (DNAT)
  • Reflexive NAT or Stateless NAT

Here is my topology:

I have enabled NAT on prod-t1-gw and going to create SNAT and DNAT rules on web-ls segment VMs.

Let’s look at external router routes (vyos), I am showing these routes before NAT configuration.

vyos@vyosrouter:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

C>* 127.0.0.0/8 is directly connected, lo
B>* 172.16.2.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
B>* 172.16.3.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
B>* 172.16.4.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
C>* 172.16.10.0/24 is directly connected, eth0
C * 192.168.200.0/24 is directly connected, eth1
C>* 192.168.200.0/24 is directly connected, eth2

Tier 0 routes are shown below:

edge-1(tier0_sr)> get forwarding

IPv4 Forwarding Table
IP Prefix Gateway IP Type UUID Gateway MAC
100.64.96.0/32       route a886e184-5631-50e2-b534-1f3a7f1d4a8b
100.64.96.0/31       route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
127.0.0.1/32            route 112bbaa4-953d-4d6f-b619-96d080e28638
169.254.0.0/24       route f40358da-2bad-4dba-8647-56976c69412a
169.254.0.1/32       route a886e184-5631-50e2-b534-1f3a7f1d4a8b
169.254.0.2/32       route 7d690a58-92fc-502e-a730-6134ff163716
172.16.2.0/24    100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.3.0/24    100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.4.0/24   100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.10.0/24   192.168.200.20 route 03a72d90-1566-4ea0-b0f9-e968b82f6918 00:50:56:bb:44:32
192.168.200.0/24   route 03a72d90-1566-4ea0-b0f9-e968b82f6918
192.168.200.2/32    route 7d690a58-92fc-502e-a730-6134ff163716

Step1: Go to networking and T1 gateways and add edge cluster on prod-t1-gw. Expand Router Advertisement and enable ALL NAT IPs routes. Click on save and close editing.

Step2: Connect web-ls segment to prod-t1-gw and I have two VMs attached to this segment webvm and webvm2.

Step3: Go to Networking > Network Services and NAT. In this section we are going to configure NAT rules on prod-t1-gw uplinks. As a first step choose prod-t1-gw and from View section choose NAT or NAT64, for our demo purposes I am choosing NAT.

Step4: Create SNAT rule with source IP and transalated IP. In my case source IP 172.16.4.5 is associated with webvm connected in web-ls sgment and transalated to 30.30.30.2 when going outbound to any network.

Step5: Create DNAT rule with destination of public IP (consider it for demo) 30.30.30.2 and translated to private 172.16.4.5

Step6: Verify both the rules have been configured successfully. So, just to re-iterate again, these SNAT and DNAT rules have been configured on Tier1 uplinks.

Note: Make sure to advertise NAT IP routes on both Tier1 and Tier0 in Router Advertisement section.

Take putty session of the edge and If see the Tier0 routes, I could see NAT route has been added.

In Tier0, NAT rule has been added:

edge-1(tier0_sr)> get forwarding
Wed Jan 20 2021 UTC 07:12:59.563
Logical Router
UUID VRF LR-ID Name Type
4eaa9cb3-7c78-433b-92ce-060ab0f309e6 1 1027 SR-T0-Prod-GW SERVICE_ROUTER_TIER0
IPv4 Forwarding Table
IP Prefix Gateway IP Type UUID Gateway MAC
30.30.30.2/32 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 02:50:56:56:44:55

In External router, NAT route has been added via BGP.

vyos@vyosrouter:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

B>* 30.30.30.2/32 [20/0] via 192.168.200.4, eth2, 00:03:45
                                               * via 192.168.200.2, eth2, 00:03:45

At last from my external network (test-machine), I am able to reach 30.30.30.2. This shows that NATing is working fine and I am able to translate to the destination webserver (hosted in web-ls segment)

Webvm traffic goes outside to vyos-testvm (client network) , source IP 172.16.4.5 will be transalated to 30.30.30.2 at Tier-1 uplink. And vyos-testvm will see 30.30.30.2 as the source IP.

Client traffic (vyos-testvm in this case) reaches inbound to 30.30.30.2, its destination IP is transalated to 172.16.4.5 at Tier-1 uplink and then goes to webvm.

 

I have also tested SNAT and DNAT rules with other segment VMs. I have two other segments db-ls and app-ls. ( See Topology above)

appvm is connected to app-ls and dbvm is connected to db-ls. When I am trying to reach destination IP 30.30.30.2, traffic reaches 172.16.4.5 ( See the ping replies).

So, in this case destination traffic 30.30.30.2 reaches to Tier1-GW where SR is translating this IP address to internal private addess 172.16.4.5 and then routes the destined traffic to webvm through geneve.

 

Thank you and happy learning!!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.