How to configure Reflexive NAT in NSX to achieve No-PAT (source port will not be translated).
search cancel

How to configure Reflexive NAT in NSX to achieve No-PAT (source port will not be translated).

book

Article ID: 425199

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The purpose of this article is to provide guidance on configuring 'Reflexive' NAT rules for scenarios that require IP address translation while maintaining the integrity of the original source port (port preservation).

  • If NAT Action selected is SNAT, it will work as PAT (source port will be translated). This behavior is by design in NSX.

Environment

VMware NSX
VMware NSX-T Data Center

Resolution

Login to the NSX Manager UI as user admin and navigate to Networking --> Network Services --> NAT
Choose the corresponding NAT rule, instead of using standard SNAT, you should configure Reflexive NAT.

  • Action: Change the NAT rule type to Reflexive NAT.
  • Result: This configuration ensures that the source port remains unchanged during the translation process, achieving a true 1:1 IP translation without PAT.



Login to the corresponding Edge node, and check the output of the below commands.

Basically a Reflexive NAT configures both SNAT and DNAT rule automatically with same Rule ID.

edge> get firewall <LR_INT_UUID> ruleset rules
edge> get firewall <LR_INT_UUID> connection state | find <NAT_IP>

Additional Information

For more information, please refer Configure NAT/DNAT/No SNAT/No DNAT/Reflexive NAT

Powered by Wolken Software