Re: Is 1:1 Outgoing NAT possible?

AlexVeber · ‎10-04-2010

Hi,

I have an Internal Routed Org network connected to my External Network.

The VMs on the Internal Org Network enjoy internet connectivity using IP masquerade and I can configure NAT so I can access those internal machines from the outside on the ports that i need. so far so good.

Is it possible to configure a VM on the internal network to reach the internet from a specified ip address and not from the masquerade ip address?

for example, I have a mail server on the internal network and I want it to send mail from a specific address, because the mail server is the one who initiates the connection the normal Inbound NAT rules don't apply.

Another related topic, in the configure service for the internal network there is a firewall tab. i don't understand what that does, isn't it quit redundant to configure NAT and the firewall? you need to open the ports in both places and the firewall have no other use as far as I can see.

Thanks for your help.

AlexVeber · ‎10-04-2010

Ok,

I found that if I create a vApp Network I can do 1:1 NAT (IP Translation).

Why is this option not avaliable when i use an Organization Network?

_morpheus_ · ‎10-04-2010

1:1 NAT isn't supported at the routed organization network.

AlexVeber · ‎10-04-2010

Thanks morpheus.

Is there any technical reason for this or it's just not implemented in the 1.0 version of vCD?

_morpheus_ · ‎10-04-2010

It's not implemented. No technical reason why it can't be done.

WillL · ‎10-04-2010

I'm guessing that Org Network can be potentially very large, if IP Translation NAT is supported, it could potentially overwhelm the vShield Edge device. However, you can manully enable this per VM/IP basis.

IP Translation NAT is supported per vApp basis, either Fence the vApp or NAT vApp network, and it's the default option, the other option is Port Forwarding.

William

AlexVeber · ‎10-04-2010

What really will be the best solution is to be able to ip masquarade all of the internal network and only ip translate for specific vms.

manythanks · ‎10-16-2010

...and than real multi-tenancy can be provided ....btw about " you need to open the ports in both places and the firewall have no other use as far as I can see" - the reason is that it is not a single vshield-edge device that controls your flows between same-ORG networks, there are multiple vshiled-edge-VMs (Vappliances with 2 NIC int-ext) created with any routed ORG port-group created, and you need to configure all to be able to allow full communications end-to-end .

AlexVeber · ‎02-13-2011

Looks like it's now supported in vCloud director 1.0.1.

manythanks · ‎02-18-2011

no , not working , vshield edge still not a router, so single IP only and always NAT

admin · ‎02-18-2011

manythanks, are you using Cloud 1.0 or 1.0.1?

manythanks · ‎04-26-2011

do you mean that in 1.0.1 you have routing capabilities ? route to outside with no NAT ? route between internal networks ? doing static routes at least ?

admin · ‎04-26-2011

See https://www.vmware.com/support/vcd/doc/rel_notes_vcloud_director_101.html, "IP Translation for Organization Networks".

manythanks · ‎08-15-2011

so yes , still NAT-only (you must NAT if you want to use a gateway in VCD) with no ROUTING capabilities , also not in latest 1.5

_morpheus_ · ‎08-15-2011

Wrong

theman wrote:
so yes , still NAT-only (you must NAT if you want to use a gateway in VCD) with no ROUTING capabilities , also not in latest 1.5

All

Is 1:1 Outgoing NAT possible?