• SNAT rules are configured on a Tier-1 Gateway, but traffic leaving the NSX environment is seen on the physical firewall with the original source IP address.
• No NAT translation is occurring for traffic originating from subnets behind the Tier-1 Gateway.
• NSX Traceflow shows the traffic is not traversing the Tier-1 Gateway, to test the SNAT rule with Traceflow, go to: Plan & Troubleshoot > Traffic Analysis > Traceflow.
  • Click Get Started.
  • Select the source VM from the dropdown list in the left hand side for Source
  • Select IP - Mac on the right hand side for Destination, click Layer 3 and enter the destination IP address as defined on the SNAT rule.
  • Click TRACE.
  • View the result, you should see an entry with NAT
• This can also be confirmed in the Active edge's log /var/log/firewallpkt.log, if logging is enabled for the SNAT rule, showing the NAT occurring.

VMware NSX

From the Traceflow, it was observed the traffic was flowing through a different Tier 1 gateway than the Tier 1 gateway which had the SNAT rule configured, as such, if that Tier 1 gateway does not have a matching SNAT rule, no SNAT of the traffic will occur.

Review the VMware NSX Administration guide for details on NAT rule configuration steps Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT

Ensure the source traffic goes through the Tier 1 which has the SNAT rule you want it to match.

Troubleshooting NSX Edge NAT/ NAT64