VMware Networking Community
Yacudzer
Enthusiast
Enthusiast

dst-nat network one-to-one

I tried to make dnat rule for whole network (I want to translate whole network to another network):

pastedImage_0.png

But when I trying to ping address (for example) 10.222.0.12, I see packet with destination address 10.22.7.203.

How I can to translate whole network one-to-one??

NSX-v (6.4.6)...

Reply
0 Kudos
3 Replies
mauricioamorim
VMware Employee
VMware Employee

Is this NSX-V or NSX-T?

You mention T0 router and the screen capture looks like NSX-T, but you mention NSX-V 6.4.6.

Are you sure you want to configure DNAT? SNAT is more common, where you could, for example, have 10.22.0.0/21 workloads that when want to connect to physical network through T1 they would be translated to 10.222.0.0/21. This way physical network doesn't see 10.22 and only sees 10.222. Would this be what you are trying to accomplish?

Reply
0 Kudos
Yacudzer
Enthusiast
Enthusiast

I use NSX-v:

pastedImage_0.png

I must to make access to 10.22.0.0/21 using 10.222.0.0/21 addresses.

I tried to make src-nat. When I pinging 10.222.0.[any address] ESG sends ARP requests to resolve mac for ip 10.222.0.[address].

I think, I must to translate using dnat only...

Reply
0 Kudos
mauricioamorim
VMware Employee
VMware Employee

If I understood correctly you have workloads inside NSX-V that are in the 10.22.0.0/21 network but you want them to be seen externally as 10.222.0.0/21. Is this correct?

If this is the case you would need 2 different NAT configurations depending on the direction of the traffic:

1) From inside (10.22.0.0/21) to outside:

     - configure SNAT with source as 10.22.0.0/21 and destination ANY

     - translated address would be 10.222.0.0./21

2) If you need to expose the 10.22.0.0/21 workloads to the outside, with source being the outside you need DNAT:

     - configure DNAT with source ANY and destination each individual IP you need to expose using the 10.222.0.0/21 network

     - translated address would be the original IP in the 10.22.0.0/21 network

For DNAT you cannot do NAT "overload". Since the flow starts from the outside you need a 1:1 NAT mapping to know to which specific destination traffic is intended.

Hope this helps.

Reply
0 Kudos