VMware Cloud Community
rrtm
Contributor
Contributor
‎07-27-2016 09:04 AM

vShield U-turn NAT

Hey,

There are 2 zones - internal and external.
Client and server are both in same internal subnet.
Client needs to access server with public IP address that is configured on vShield Edge.
External users can access server fine but when internal client tries to access server then DNAT changes only destination IP address. Packets get from client to server but source IP stays original IP and server sends SYN ACK back directly not through firewall.
Is it possible to do SNAT and DNAT at the same time for traffic so that clients' original source IP would be masked behind vShield IP?

Reply
0 Kudos
1 Reply
AdamRushUK
Enthusiast
Enthusiast
‎07-30-2016 12:46 AM

I got caught on this last week.


You need to keep the standard DNAT rules on the Edge's External interface, but also duplicate those DNAT rules on the Edge's Internal interface.

You also put the SNAT rules on the Edge's Internal interface.


This blog post explains it well: https://orchestration.io/2013/08/12/hairpin-nat-nat-hairpinning-with-vshield-edge/

VCP-Cloud | VCP5-DCV | MCITP:EA | MCSE | CCNA | CCAA LinkedIn: https://www.linkedin.com/in/adamrushuk | Twitter : @adamrushuk
Reply
0 Kudos