Hi,
I have an Internal Routed Org network connected to my External Network.
The VMs on the Internal Org Network enjoy internet connectivity using IP masquerade and I can configure NAT so I can access those internal machines from the outside on the ports that i need. so far so good.
Is it possible to configure a VM on the internal network to reach the internet from a specified ip address and not from the masquerade ip address?
for example, I have a mail server on the internal network and I want it to send mail from a specific address, because the mail server is the one who initiates the connection the normal Inbound NAT rules don't apply.
Another related topic, in the configure service for the internal network there is a firewall tab. i don't understand what that does, isn't it quit redundant to configure NAT and the firewall? you need to open the ports in both places and the firewall have no other use as far as I can see.
Thanks for your help.
Ok,
I found that if I create a vApp Network I can do 1:1 NAT (IP Translation).
Why is this option not avaliable when i use an Organization Network?
1:1 NAT isn't supported at the routed organization network.
Thanks morpheus.
Is there any technical reason for this or it's just not implemented in the 1.0 version of vCD?
It's not implemented. No technical reason why it can't be done.
I'm guessing that Org Network can be potentially very large, if IP Translation NAT is supported, it could potentially overwhelm the vShield Edge device. However, you can manully enable this per VM/IP basis.
IP Translation NAT is supported per vApp basis, either Fence the vApp or NAT vApp network, and it's the default option, the other option is Port Forwarding.
William
What really will be the best solution is to be able to ip masquarade all of the internal network and only ip translate for specific vms.
...and than real multi-tenancy can be provided ....btw about " you need to open the ports in both places and the firewall have no other use as far as I can see" - the reason is that it is not a single vshield-edge device that controls your flows between same-ORG networks, there are multiple vshiled-edge-VMs (Vappliances with 2 NIC int-ext) created with any routed ORG port-group created, and you need to configure all to be able to allow full communications end-to-end .
Looks like it's now supported in vCloud director 1.0.1.
no , not working , vshield edge still not a router, so single IP only and always NAT
manythanks, are you using Cloud 1.0 or 1.0.1?
do you mean that in 1.0.1 you have routing capabilities ? route to outside with no NAT ? route between internal networks ? doing static routes at least ?
See https://www.vmware.com/support/vcd/doc/rel_notes_vcloud_director_101.html, "IP Translation for Organization Networks".
so yes , still NAT-only (you must NAT if you want to use a gateway in VCD) with no ROUTING capabilities , also not in latest 1.5
Wrong
theman wrote:
so yes , still NAT-only (you must NAT if you want to use a gateway in VCD) with no ROUTING capabilities , also not in latest 1.5