Solved: DNAT - one ip address serving multiple servers

Jamiestarr38 · ‎06-09-2018

Hello Folks...

I am in the process of creating a bubble network behind a ESG to support development, etc...There will be a number of vms created in this bubble network, so we would like to explore using SNAT and DNAT to conserve IP addresses. SNAT is relatively straight forward, going to assign a IP address for SNAT so all VMs south of the ESG and access the network north of the ESG.

Question is for DNAT. Is it possible utilizing the ESG to use a single IP address to provide connectivity to multiple servers using port address translation?

cnrz · ‎06-10-2018

As the TCP Ports used by Edge itself (not to use for dNAT), they could be general ports for protocols like Ntp, Dns, SSH, Syslog, Snmp. The Tcp and Udp ports for NSX-T is below (for Nsx-v could be similar)

http://pubs.vmware.com/nsxt-11/index.jsp?topic=%2Fcom.vmware.nsxt.install.doc%2FGUID-19CC3390-A2F3-4...

TCP and UDP ports used by NSX Edge

Source	Target	Port	Protocol	Description
Any	Edge	22	TCP	SSH
Any	Edge	123	UDP	NTP
Any	Edge	161	UDP	SNMP
Any	Edge	67, 68	UDP	DHCP
Any	Edge	1167	TCP	DHCP backend
Any	Edge	3784, 3785	UDP	BFD
Any	Edge	5555	TCP	Public cloud
Any	Edge	6666	TCP	Public cloud
Any	Edge	8080	TCP	NAPI, NSX upgrade
Any	Edge	2480	TCP	Nestdb
Edge	Any	22	TCP	SSH
Edge	Any	53	UDP	DNS
Edge	Any	80	TCP	HTTP
Edge	Any	123	UDP	NTP
Edge	Any	161, 162	UDP	SNMP
Edge	Any	161, 162	TCP	SNMP
Edge	Any	179	TCP	BGP
Edge	Any	443	TCP	HTTPS
Edge	Any	514	TCP	Syslog
Edge	Any	514	UDP	Syslog
Edge	Any	1167	TCP	DHCP backend
Edge	Any	1234	TCP	netcpa
Edge	Any	3000 - 9000	TCP	Metadata proxy
Edge	Any	5671	TCP	NSX messaging
Edge	Any	6514	TCP	Syslog over TLS
Edge	Any	33434 - 33523	UDP	Traceroute

For the Tcp Ports used for NAT on the Edge these links could be helpful:

http://www.virtually-limitless.com/vcix-nv-study-guide/troubleshoot-network-address-translation-nat-...

Networking&Security > NSX Edges > (Selecting NSX Edge) > Manage > NAT

show nat command on Edge CLI also lists the source and Nat translated ports:

https://vcrooky.com/2017/08/nsx-troubleshoot-dhcpdnsnat-service-issues/

View solution in original post

cnrz · ‎06-09-2018

For DNAT, using same outer IP for different internal VMs could be possible as long as the TCp ports are different. This makes it possible not to reserve a unique IP for every VM that will service outside

These links could be helpful:

Virtualization The Future: NSX Deepdive Part 8 - Configuring and Testing Network Address Translation...

A destination NAT rule can also translate port numbers, allowing you to overload a single IP address to expose multiple services using different incoming ports.

NSX-V Edge NAT – Route to Cloud

Traffic Flow of Destination NAT through Edge Gateway – Stretch Cloud – Technology Undressed

Jamiestarr38 · ‎06-10-2018

Thanks this is great start. For the DNAT setup, I will setup mapping port numbers, to further explain I will have to the following base on your response

DNAT: Source Port 22 - Port 22: Server A (Access an application installed on this server)

Source Port 223 - Port 22 Server B (Access an application installed on this server)

With that being said, is there a way to list all the ports that are listening and available on an NSX Edge?

cnrz · ‎06-10-2018