DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0.1
search cancel

DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0.1

book

Article ID: 306214

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • An upgrade has been performed from NSX-T 3.0.0 to NSX-T 3.0.1
  • SNAT/DNAT rules were created using Policy UI or API on NSX-T 3.0.0
  • Datapath traffic flows configured for DNAT/SNAT are impacted
  • SNAT/DNAT rules use port translation

   

   Example DNAT configuration

   Working DNAT configuration on 3.0.0
     Edge01> get firewall e7d73315-dad1-4228-####-########## ruleset rules
     DNAT rule count: 1
     Rule ID   : 1028
     Rule      : in protocol tcp prenat from any to ip #.#.#.# port 22 dnat ip #.#.#.# port 2222 with log

         
   Broken DNAT configuration on 3.0.1
     Edge01> get firewall e7d73315-dad1-4228-####-############ ruleset rules
     DNAT rule count: 1
     Rule ID   : 1028
     Rule      : in protocol tcp prenat from any to ip #.#.#.# port 2222 dnat ip #.#.#.# port 22 with log



Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

During upgrade from NSX-T Data Center 3.0.0 to 3.0.1 a conversion takes place which interchanges DNAT parameters service port and translated port.

Resolution

This is a known issue affecting NSX-T Data Center 3.0.1. There is currently no resolution.

Workaround:
  • From the UI or API edit all DNAT rules
  • Swap the port numbers in the "Service" and "Translated Port" fields
  • Note on system services such as HTTP, SSH etc the port cannot be changed either by API or UI
    • For DNAT rules using these services, a new customized service must be created
    • Replace the system service in the DNAT rule with the customized service