NAT does not translate IP addresses when NSX Edge firewall is disabled
Article ID: 321457
Updated On:
Products
VMware NSX
Issue/Introduction
- Source NAT with a translated IP range is configured on an NSX for vSphere Edge gateway.
- Edge gateway firewall service is disabled.
- No traffic passes through the Edge gateway from the internal virtual machines.
Environment
VMware NSX for vSphere 6.x
VMware Cloud Director for Service Provider 8.20.x
VMware Cloud Director for Service Provider 9.x
VMware Cloud Director for Service Provider 8.20.x
VMware Cloud Director for Service Provider 9.x
Cause
When the Edge gateway firewall is disabled, all stateful services also are disabled if the Edge device is a 6.0 Extra Large or 6.1 or higher Edge device.
Note: When using vShield Edge or NSX Edge and vCloud Director before 8.20, disabling the firewall from the vCloud Director UI creates an allow any/any rule on the Edge device. If using NSX Edge and vCloud Director 8.20 and newer, disabling the firewall results in the same symptoms. The workaround is to enable the firewall from vCloud Director with an any/any accepted rule.
Resolution
This is an expected behavior since NAT is dependent on firewall and firewall service is disabled.
To resolve this issue:
To resolve this issue:
- Enable the Edge gateway firewall to run stateful service such as NAT.
For steps on enabling the Edge Gateway Firewall, refer to the Working with Edge Firewall section in the NSX for vSphere Administration Guide.
Feedback
Yes
No
Powered by
