DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0.1
book
Article ID: 306214
calendar_today
Updated On:
Products
VMware NSXVMware vDefend Firewall
Issue/Introduction
Symptoms:
An upgrade has been performed from NSX-T 3.0.0 to NSX-T 3.0.1
SNAT/DNAT rules were created using Policy UI or API on NSX-T 3.0.0
Datapath traffic flows configured for DNAT/SNAT are impacted
SNAT/DNAT rules use port translation
Example DNAT configuration
Working DNAT configuration on 3.0.0 Edge01> get firewall e7d73315-dad1-4228-####-########## ruleset rules DNAT rule count: 1 Rule ID : 1028 Rule : in protocol tcp prenat from any to ip #.#.#.# port 22 dnat ip #.#.#.# port 2222 with log
Broken DNAT configuration on 3.0.1 Edge01> get firewall e7d73315-dad1-4228-####-############ ruleset rules DNAT rule count: 1 Rule ID : 1028 Rule : in protocol tcp prenat from any to ip #.#.#.# port 2222 dnat ip #.#.#.# port 22 with log
Environment
VMware NSX-T Data Center 3.x VMware NSX-T Data Center
Cause
During upgrade from NSX-T Data Center 3.0.0 to 3.0.1 a conversion takes place which interchanges DNAT parameters service port and translated port.
Resolution
This is a known issue affecting NSX-T Data Center 3.0.1. There is currently no resolution.
Workaround:
From the UI or API edit all DNAT rules
Swap the port numbers in the "Service" and "Translated Port" fields
Note on system services such as HTTP, SSH etc the port cannot be changed either by API or UI
For DNAT rules using these services, a new customized service must be created
Replace the system service in the DNAT rule with the customized service