DNAT rule with identical destination and translated IP addresses fails to route traffic
search cancel

DNAT rule with identical destination and translated IP addresses fails to route traffic

book

Article ID: 437151

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In VMware NSX, a Destination NAT (DNAT) rule is configured on a Tier-0 or Tier-1 gateway where the destination IP address and the translated IP address are identical, while only the destination port is translated(as shown below). Traffic matching this specific rule criteria fails to reach the intended destination server and is dropped or misrouted at the Edge node.

Environment

VMware NSX

Cause

This is not a supported scenario. The destination IP address used in the NAT rule is typically assigned to a loopback interface or exists as a local route on the Edge node depending on where(T0//T1) the NAT is applied. When the translated IP address is set to be the same as the original destination IP, the NSX Edge node treats the translated traffic as destined for itself rather than routing it out towards the actual backend server.


Resolution

To ensure proper routing of translated traffic, the DNAT configuration must use a unique IP address for the translation that is distinct from the original destination IP address:

  1. Log into the NSX Manager UI.

  2. Navigate to Networking > NAT.

  3. Select the appropriate Tier-0 or Tier-1 Gateway.

  4. Locate the problematic DNAT rule and select Edit.

  5. Change the Translated IP field to the actual internal IP address of the destination server.

  6. Ensure the Destination IP (External/Public IP) and Translated IP (Internal Server IP) are different.

  7. Configure the Translated Port as required for the application.

  8. Click Save.

Additional Information

Reference: Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT

Powered by Wolken Software