3 Replies Latest reply on Feb 27, 2020 10:24 AM by mauricioamorim

    dst-nat network one-to-one

    Yacudzer Novice

      I tried to make dnat rule for whole network (I want to translate whole network to another network):

      But when I trying to ping address (for example) 10.222.0.12, I see packet with destination address 10.22.7.203.

      How I can to translate whole network one-to-one??

      NSX-v (6.4.6)...

        • 1. Re: dst-nat network one-to-one
          mauricioamorim Expert
          VMware Employees

          Is this NSX-V or NSX-T?

           

          You mention T0 router and the screen capture looks like NSX-T, but you mention NSX-V 6.4.6.

           

          Are you sure you want to configure DNAT? SNAT is more common, where you could, for example, have 10.22.0.0/21 workloads that when want to connect to physical network through T1 they would be translated to 10.222.0.0/21. This way physical network doesn't see 10.22 and only sees 10.222. Would this be what you are trying to accomplish?

          • 2. Re: dst-nat network one-to-one
            Yacudzer Novice

            I use NSX-v:

             

            I must to make access to 10.22.0.0/21 using 10.222.0.0/21 addresses.

            I tried to make src-nat. When I pinging 10.222.0.[any address] ESG sends ARP requests to resolve mac for ip 10.222.0.[address].

            I think, I must to translate using dnat only...

            • 3. Re: dst-nat network one-to-one
              mauricioamorim Expert
              VMware Employees

              If I understood correctly you have workloads inside NSX-V that are in the 10.22.0.0/21 network but you want them to be seen externally as 10.222.0.0/21. Is this correct?

               

              If this is the case you would need 2 different NAT configurations depending on the direction of the traffic:

               

              1) From inside (10.22.0.0/21) to outside:

                   - configure SNAT with source as 10.22.0.0/21 and destination ANY

                   - translated address would be 10.222.0.0./21

               

              2) If you need to expose the 10.22.0.0/21 workloads to the outside, with source being the outside you need DNAT:

                   - configure DNAT with source ANY and destination each individual IP you need to expose using the 10.222.0.0/21 network

                   - translated address would be the original IP in the 10.22.0.0/21 network

               

              For DNAT you cannot do NAT "overload". Since the flow starts from the outside you need a 1:1 NAT mapping to know to which specific destination traffic is intended.

               

              Hope this helps.