• Administrators may encounter a scenario where a Destination NAT (DNAT) policy is created on a Tier-1 (T1) Gateway to map a specific external port (e.g., 53389) to an internal service.
• However, testing reveals that the destination allows traffic on both the translated port (53389) and the original default port (e.g., RDP port 3389).
• Network connectivity tests confirm that the destination accepts connections on both the intended custom port and the standard service port.

VMware NSX

This behavior is caused by the configuration of the Firewall Match setting within the NAT rule options in conjunction with port definition.

1. DNAT with "Any" Ports: If a DNAT rule is defined with specific IP addresses but no specific ports (implying "Any"), the rule matches all traffic destined for that IP, regardless of the port.

2. Firewall Match Context (Pre-NAT vs. Post-NAT):

   • Match Internal Address: The firewall applies rules after the NAT translation occurs (Post-NAT).

   • Match External Address: The firewall applies rules before the NAT translation occurs (Pre-NAT).

If the rule is set to Match External Address (or default behavior in some versions) without strict port restrictions, the firewall evaluates the packet based on its original destination port (53389) before translation.

Consequently, if the firewall allows the traffic, the NAT engine processes it, potentially leaving the original port accessible if not explicitly blocked or redirected.

To resolve this issue and ensure only the specific translated port is allowed, you must adjust the Firewall Match settings in the NAT rule configuration.

Method 1: For Specific Port Translation (Recommended)

If you are translating a specific port (e.g., External 53389 > Internal 3389):

1. Edit the specific DNAT rule on the T1 Gateway.

2. Ensure the Translated Port is set correctly.

3. Change the Firewall Match setting to Match Internal Address.

   • Note: This ensures the firewall evaluates the packet after it has been translated to the internal IP and port.

4. Ensure your Gateway or Distributed Firewall rule allows traffic to the Internal IP on the Internal Port (3389).

Method 2: For DNAT "All" (No Ports Specified)

If you intend to DNAT all traffic for an IP without changing ports:

1. Edit the DNAT rule.

2. Change the Firewall Match setting to Match External Address.

3. Ensure your Firewall rule allows traffic to the External IP.

Firewall Configuration Note:

If the default Gateway Firewall rule is set to Drop:

• You must create a specific Allow rule.

• If using Match External Address: Create a rule allowing the Public IP (External) on port 53389 (Before NAT).

• If using Match Internal Address: Create a rule allowing the Private IP (Internal) on port 3389 (After NAT).