VMware Networking Community
zjerina
Contributor
Contributor

NSX-T Hairpin NAT Destination Filtering

We want to use NSX-T for hairpin routing but we require it to be done based on the packets destination.

We have the following scenario:

VM1: 10.10.10.14

VM2: 10.10.10.15

We would like the traffic going out of VM1 to be NAT-ed based on the network it is going to (SHARED/INTERNET) when the traffic is going to shared (100.64.0.0/16) we would like it to exit with the shared IP as source and when the traffic is going to public we would like it to exit with the public IP as source.

This all works well when going out of the NSX-T T0 and the NAT is applied to the interfaces. But there is a problem when we want to do hairpin routing.

Lets say the VM1 wants to exit the network (SNAT) with public IP 193.2.2.2 and shared IP 100.64.0.11 and VM2 has shared IP 100.64.0.12 (DNAT). When we create the NAT entries and assign them to the interfaces the traffic going out and into the T0 works fine but if we want to reach VM2 with its shared IP NSX-T simply does not do the NAT.

We wanted to solve the issue by not assigning DNAT and SNAT entries to interfaces but then we have the problem of not being able to filter the traffic in the SNAT destination because it does not filter based on the initial packet, but rather based on the DNAT-ed packet.

Please find the example NAT configuration attached.

How can our issue be resolved using hairpin NAT? Is the functionality even supported?

NSX-T version: 4.0.0.1.0.20159689

Thank you for your support.

 

Reply
0 Kudos
0 Replies