3 Replies Latest reply on Feb 27, 2020 10:24 AM by mauricioamorim

    dst-nat network one-to-one

    Yacudzer Novice

      I tried to make dnat rule for whole network (I want to translate whole network to another network):

      But when I trying to ping address (for example), I see packet with destination address

      How I can to translate whole network one-to-one??

      NSX-v (6.4.6)...

        • 1. Re: dst-nat network one-to-one
          mauricioamorim Expert
          VMware Employees

          Is this NSX-V or NSX-T?


          You mention T0 router and the screen capture looks like NSX-T, but you mention NSX-V 6.4.6.


          Are you sure you want to configure DNAT? SNAT is more common, where you could, for example, have workloads that when want to connect to physical network through T1 they would be translated to This way physical network doesn't see 10.22 and only sees 10.222. Would this be what you are trying to accomplish?

          • 2. Re: dst-nat network one-to-one
            Yacudzer Novice

            I use NSX-v:


            I must to make access to using addresses.

            I tried to make src-nat. When I pinging 10.222.0.[any address] ESG sends ARP requests to resolve mac for ip 10.222.0.[address].

            I think, I must to translate using dnat only...

            • 3. Re: dst-nat network one-to-one
              mauricioamorim Expert
              VMware Employees

              If I understood correctly you have workloads inside NSX-V that are in the network but you want them to be seen externally as Is this correct?


              If this is the case you would need 2 different NAT configurations depending on the direction of the traffic:


              1) From inside ( to outside:

                   - configure SNAT with source as and destination ANY

                   - translated address would be


              2) If you need to expose the workloads to the outside, with source being the outside you need DNAT:

                   - configure DNAT with source ANY and destination each individual IP you need to expose using the network

                   - translated address would be the original IP in the network


              For DNAT you cannot do NAT "overload". Since the flow starts from the outside you need a 1:1 NAT mapping to know to which specific destination traffic is intended.


              Hope this helps.