NSX SNAT does Port Address Translation in a 1:1 NAT relationship
Article ID: 373284
Updated On:
Products
Issue/Introduction
When SNAT (Source Network Address Translation) rule is configured with a 1:1 relationship (a single Source IP mapped to a single Translated IP), it is observed that the source port is being translated as well along with the Source IP and Translated IP
Login to the NSX GUI as user admin and navigate to Networking --> Network Services --> NAT
As shown below, the NAT rule is configured with Action being SNAT.
Login to the NSX Edge node as user admin and follow the steps below
1. Verify the T1/T0 gateway on which the NAT rule is applied
2. Check the Active Edge node that is configured on the corresponding T0/T1 gateway
3. Run the command get logical-router
4. Verify the SR component of the T1/T0 gateway
5. Run the command vrf <vrf-id> --> VRF-ID of the corresponding SR component of T1/T0 gateway
6. Run the command get firewall connection state
As per the screenshot shown below, it is observed that along with the Source IP address, even the source port is being Translated.
Environment
VMware NSX
VMware NSX-T Data Center
Cause
This behavior is by design and the NSX Administration Guide states that PAT is triggered when the "Translated IP is less than the match IP," a standard SNAT rule configured with a single translated IP address will effectively function as PAT.
Consequently, the NSX Edge translates the source port to ensure connection uniqueness and validity, even in a 1:1 configuration scenario.
Resolution
To ensure that only the IP address is translated while maintaining the integrity of the original source port (no port translation), change the NAT configuration type.
Login to the NSX Manager UI as user admin and navigate to Networking --> Network Services --> NAT
Choose the corresponding NAT rule, instead of using standard SNAT, you should configure Reflexive NAT.
- Action: Change the NAT rule type to Reflexive NAT.
- Result: This configuration ensures that the source port remains unchanged during the translation process, achieving a true 1:1 IP translation without PAT.
Subsequently, login to the corresponding Edge node, and check the output of the command get firewall connection state and verify that ports are not getting translated
Additional Information
For more information, refer to the URL --> https://techdocs.broadcom.com/us/en/vmware-cis/nsx/nsxt-dc/3-1/administration-guide/network-address-translation/configure-an-nsx-nat.html
Feedback
