Configuring NAT services in NSX-T

In this blog post, we are going to see how NAT works in NSX-T. Setting up NAT as a service is fairly easy in NSX.

In NSX-T, you can configure NAT on tier-0 and Tier-1 gateways. Both of them have different use cases, in Tier-0 you can only use Reflexive NAT if you like to leverage ECMP to upstream routers as you have to keep Edge nodes in Active-Active configuration. In Active-standby configuration, you can use SNAT and DNAT rules on Tier0 and Tier1 gateways.

Different type of NAT rules:

  • Source NAT (SNAT)
  • Destination NAT (DNAT)
  • Reflexive NAT or Stateless NAT

Here is my topology:

I have enabled NAT on prod-t1-gw and going to create SNAT and DNAT rules on web-ls segment VMs.

Let’s look at external router routes (vyos), I am showing these routes before NAT configuration.

vyos@vyosrouter:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

C>* 127.0.0.0/8 is directly connected, lo
B>* 172.16.2.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
B>* 172.16.3.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
B>* 172.16.4.0/24 [20/0] via 192.168.200.2, eth2, 13:34:53
* via 192.168.200.4, eth2, 13:34:53
C>* 172.16.10.0/24 is directly connected, eth0
C * 192.168.200.0/24 is directly connected, eth1
C>* 192.168.200.0/24 is directly connected, eth2

Tier 0 routes are shown below:

edge-1(tier0_sr)> get forwarding

IPv4 Forwarding Table
IP Prefix Gateway IP Type UUID Gateway MAC
100.64.96.0/32       route a886e184-5631-50e2-b534-1f3a7f1d4a8b
100.64.96.0/31       route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
127.0.0.1/32            route 112bbaa4-953d-4d6f-b619-96d080e28638
169.254.0.0/24       route f40358da-2bad-4dba-8647-56976c69412a
169.254.0.1/32       route a886e184-5631-50e2-b534-1f3a7f1d4a8b
169.254.0.2/32       route 7d690a58-92fc-502e-a730-6134ff163716
172.16.2.0/24    100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.3.0/24    100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.4.0/24   100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6
172.16.10.0/24   192.168.200.20 route 03a72d90-1566-4ea0-b0f9-e968b82f6918 00:50:56:bb:44:32
192.168.200.0/24   route 03a72d90-1566-4ea0-b0f9-e968b82f6918
192.168.200.2/32    route 7d690a58-92fc-502e-a730-6134ff163716

Step1: Go to networking and T1 gateways and add edge cluster on prod-t1-gw. Expand Router Advertisement and enable ALL NAT IPs routes. Click on save and close editing.

Step2: Connect web-ls segment to prod-t1-gw and I have two VMs attached to this segment webvm and webvm2.

Step3: Go to Networking > Network Services and NAT. In this section we are going to configure NAT rules on prod-t1-gw uplinks. As a first step choose prod-t1-gw and from View section choose NAT or NAT64, for our demo purposes I am choosing NAT.

Step4: Create SNAT rule with source IP and transalated IP. In my case source IP 172.16.4.5 is associated with webvm connected in web-ls sgment and transalated to 30.30.30.2 when going outbound to any network.

Step5: Create DNAT rule with destination of public IP (consider it for demo) 30.30.30.2 and translated to private 172.16.4.5

Step6: Verify both the rules have been configured successfully. So, just to re-iterate again, these SNAT and DNAT rules have been configured on Tier1 uplinks.

Note: Make sure to advertise NAT IP routes on both Tier1 and Tier0 in Router Advertisement section.

Take putty session of the edge and If see the Tier0 routes, I could see NAT route has been added.

In Tier0, NAT rule has been added:

edge-1(tier0_sr)> get forwarding
Wed Jan 20 2021 UTC 07:12:59.563
Logical Router
UUID VRF LR-ID Name Type
4eaa9cb3-7c78-433b-92ce-060ab0f309e6 1 1027 SR-T0-Prod-GW SERVICE_ROUTER_TIER0
IPv4 Forwarding Table
IP Prefix Gateway IP Type UUID Gateway MAC
30.30.30.2/32 100.64.96.1 route 902e3dcc-dcf7-4d23-8648-e67be64a69e6 02:50:56:56:44:55

In External router, NAT route has been added via BGP.

vyos@vyosrouter:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

B>* 30.30.30.2/32 [20/0] via 192.168.200.4, eth2, 00:03:45
                                               * via 192.168.200.2, eth2, 00:03:45

At last from my external network (test-machine), I am able to reach 30.30.30.2. This shows that NATing is working fine and I am able to translate to the destination webserver (hosted in web-ls segment)

Webvm traffic goes outside to vyos-testvm (client network) , source IP 172.16.4.5 will be transalated to 30.30.30.2 at Tier-1 uplink. And vyos-testvm will see 30.30.30.2 as the source IP.

Client traffic (vyos-testvm in this case) reaches inbound to 30.30.30.2, its destination IP is transalated to 172.16.4.5 at Tier-1 uplink and then goes to webvm.

 

I have also tested SNAT and DNAT rules with other segment VMs. I have two other segments db-ls and app-ls. ( See Topology above)

appvm is connected to app-ls and dbvm is connected to db-ls. When I am trying to reach destination IP 30.30.30.2, traffic reaches 172.16.4.5 ( See the ping replies).

So, in this case destination traffic 30.30.30.2 reaches to Tier1-GW where SR is translating this IP address to internal private addess 172.16.4.5 and then routes the destined traffic to webvm through geneve.

 

Thank you and happy learning!!