We are using NSX 6.2, and we are experiencing some issues with NAT.
Distributed Logical Router
We have a DNAT rule applied on the public interface on our Edge translating external ip to internal.
We are allowing the traffic to flow through the firewall in the Edge to the destination through the DLR.
Our DLR has an allow default rule.
So just to hide my real ips:
External Source: 220.127.116.11
External Destination: 18.104.22.168
Internal Destination: 10.10.10.10
On the external interface on our Edge i can see this when a request comes in:
- IP 22.214.171.124.56535 > 126.96.36.199.80: Flags [S], seq 326397768, win 29200, options [mss 1460,sackOK,TS val 804465675 ecr 0,nop,wscale 7], length 0
On the internal interface on our Edge i can see this when a request comes in:
- IP 188.8.131.52.56536 > 10.10.10.10.80: Flags [S], seq 518531681, win 29200, options [mss 1460,sackOK,TS val 804482949 ecr 0,nop,wscale 7], ength 0
Firewall Flow from the edge:
|1: tcp||6 24 SYN_SENT src=184.108.40.206 dst=220.127.116.11 sport=56557 dport=80 pkts=1 bytes=60 [UNREPLIED] src=10.10.10.10 dst=18.104.22.168 sport=80 dport=56557 pkts=0 bytes=0 mark=0 rid=131081 use=1|
So here is my question, according to my knowledge of how NAT should work i should see request on the inside of my edge going towards my vm, where the source is the inside address of my edge, not the address of the original source.
In this case i get the request to my internal vm from external originating source.
Is this a miss configuration or is this a incorrect behavior in NSX?
Thanks for your help
So we seem to have solved this issue.
We were missing a SNAT on the inside that translates Source 0.0.0.0/0 to the external netblock.
This seems to be a solution to the problem, but not a intuitive one.
DNAT translates only the destination address of the packet. As you've discovered, the source address will remain the same when using a DNAT rule. Rather than translating all addresses with the SNAT rule, you may see benefit in translating only specific IPs in the SNAT source.
If your experience is with Cisco networking, you are probably used to a single static NAT statement performing the translation of the external address to the internal address on inbound traffic, as well as implicitly translating the inside address to the outside address on the way out.
A good article on NAT: NSX-V Edge NAT | VMware Professional Services