NAT not working on NSX Tier0 router with or without IPSec VPN involved
search cancel

NAT not working on NSX Tier0 router with or without IPSec VPN involved

book

Article ID: 400763

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Tier0 configured in active/standby
  • NAT is configured on active Tier0
  • Packet capture shows the NAT does not get applied on the incoming TCP traffic but is applied to ICMP packets

In IPSec VPN data path:

  • Packet is decrypted over Route-based VPN (RBVPN) session
  • DNAT is applied
  • Same packet needs to be egressed out of the edge
  • A SNAT rule is configured for the same packet
  • SNAT is not happening

Environment

VMware NSX 3.2.3 and older

Cause

  • This configuration requires double inspection to take place inside the edge.
  • Once the packet is processed and sent out the uplink with the correct translated IP.
  • When traffic returns on the uplink, only the inbound packet is being matched, which does not find the NAT state, and is therefore not processed to be NATTed.

For VPN:

  • VTI is not treated as an Uplink. This causes the firewall lookup to be skipped, which in turn prevents the desired communication.

Resolution

Workaround (Not persistent through edge VM reboots):

nsx-edge> set firewall <Uplink-UUID> param one_state_opt value 0

Resolution 1 (Persistent through edge reboots - creating new profile):

// Before running API
nsx-edge> get firewall <UUID> param one_state_opt
one_state_opt       : 1

// After running API
nsx-edge> get firewall <UUID> param one_state_opt
one_state_opt       : 0

Following are the details:
----------------------------

1. Configure GeneralSecuritySettingsProfile

1.1 Create profile.json that looks like:

{
    "enable_double_flow" : true,
    "resource_type" : "GeneralSecuritySettingsProfile",
    "display_name" : "nat-security-profile"
}

1.2 Run following API to create the profile object:

curl -k -H 'Content-Type:application/json' -u 'admin' -X POST https://<nsx-mgr-IP>/api/v1/firewall/profiles -d "`cat profile.json`"

To view:
curl -k -H 'Content-Type:application/json' -u 'admin' https://<nsx-mgr-IP>/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile

2. Configure ServiceConfig:

2.1 Create service_config_highline.json that looks like:

Note: The profile target_id can be found by running the view command in Step 1.2. The Logical Router target_id should be the LR (Logical Router) UUID of the logical router of the UPLINK port where you want to run the firewall param NSX CLI. 2 logical routers are being set here but it can be set with one or more.

{
    "display_name": "testServiceConfig",
    "profiles": [
        {
            "profile_type":"GeneralSecuritySettingsProfile",
            "target_id":"########-####-####-####-############"
        }
    ],
    "precedence": 10,
    "applied_to": [
        {
            "target_type": "LogicalRouter",
            "target_id": "########-####-####-####-############"
        },
        {
            "target_type": "LogicalRouter",
            "target_id": "########-####-####-####-############"
        }
    ]
}

2.2 Configure service-config's object:

curl -k -H 'Content-Type:application/json' -u 'admin' -X POST https://<nsx-mgr-IP>/api/v1/service-configs -d "`cat service_config_highline.json`"

To review:
curl -k -H 'Content-Type:application/json' -u 'admin' https://<nsx-mgr-IP>/api/v1/service-configs

 

Resolution 2 (Persistent through edge reboots - updating existing profile to add additional logical routers):

1. Pull existing service-config:

curl -k -H 'Content-Type:application/json' -u 'admin' https://<nsx-mgr-IP>/api/v1/service-configs

2. Create JSON file with output of existing service-config:

curl -k -H 'Content-Type:application/json' -u 'admin' "https://<nsx-mgr-IP>/api/v1/service-configs/<UUID-of-existing-service-config>" > existing_service_config.json

3. Edit 'existing_service_config.json' file with the file editor of your choosing (vi, vim, nano, etc.) to update the request body with the additional logical routers and then save the change (only added section highlighted in GREEN):

{
  "profiles" : [ {
    "profile_type" : "GeneralSecuritySettingsProfile",
    "target_id" : "########<UUID-of-GeneralSecuritySettingsProfile>############",
    "target_display_name" : "nat-security-profile",
    "target_type" : "UpmProfile",
    "is_valid" : true
  } ],
  "precedence" : 10,
  "applied_to" : [ {
    "target_id" : "########<UUID-of-existing-LR>############",
    "target_display_name" : "Tier0-existing",
    "target_type" : "LogicalRouter",
    "is_valid" : true
  }, {
    "target_id" : "########<UUID-of-new-LR>############",
    "target_type" : "LogicalRouter"
  } ],
  "resource_type" : "ServiceConfig",
  "id" : "########<UUID-of-existing-service-config>############",
  "display_name" : "testServiceConfig",
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_create_time" : 1749165765861,
  "_create_user" : "admin",
  "_last_modified_time" : 1749166132018,
  "_last_modified_user" : "admin",
  "_revision" : 2
}

4. Update existing service-config with the updated JSON file (existing_service_config.json):

curl -k -H 'Content-Type:application/json' -u 'admin' -X PUT https://<nsx-mgr-IP>/api/v1/service-configs/########<UUID-of-existing-service-config>############ -d "`cat existing_service_config.json`"

5. Verify service-config was updated properly:

curl -k -H 'Content-Type:application/json' -u 'admin' "https://<nsx-mgr-IP>/api/v1/service-configs/<UUID-of-existing-service-config>"

// Before running API
nsx-edge> get firewall <UUID> param one_state_opt
one_state_opt       : 1

// After running API
nsx-edge> get firewall <UUID> param one_state_opt
one_state_opt       : 0

Additional Information

The issue is fixed in the following NSX releases:

  • NSX-T 3.2.4
  • NSX 4.1.1 and newer
Powered by Wolken Software