Network Address
Translation (NAT)
VMware Aria
Operations for Networks
supports Static NAT (SNAT), Dynamic NAT (DNAT), reflexive
rules in the flows, and the VM-VM Path for NSX-V, NSX-T Edges, Fortinet, and Check
Point.The NAT flow support in
VMware Aria
Operations for Networks
is as follows: - VMware Aria Operations for Networkssupports the nested NAT hierarchy for NSX for vSphere and NSX-T, and for physical devices,VMware Aria Operations for Networkssupports the single hierarchy (DNAT) for Fortinet only.
- VMware Aria Operations for Networkssupports the edges and the tier routers with NAT-defined uplinks.The NAT rules on the NSX Edge version 5.5 or the previous versions are not supported.
- VMware Aria Operations for Networkssupports SNAT rules with range. However, DNAT must be one-to-one mapping between the destination and translated IP addresses (Parity with NSX for vSphere).
- For Check Point, NAT rules both auto or manually generated are supported for both the source and the destination as network, network-group, or address-range.
Queries
To view NAT rules, use the following
queries:
- To view all the NAT rules in NSX-T, use theNSX-T Edge NAT Rulequery.
- To view all the NAT rules NSX-V, use theEdge NAT Rulesquery.
- To view all the NAT rules in Fortinet, use theFortinet NAT Rulequery.
- To view all the NAT rules in Check Point, use theCheck Point NAT Rulequery.
- To view all the NAT rules, use theNAT Rulequery.
Consideration
- VMware Aria Operations for Networksdoes not support the following use cases:
- In NSX-T, NAT rules can be applied at the service level. For example, in NSX-T, L4 ports set is a type of service and the associated protocols can be TCP or UDP. So in the VM-VM path, the service level details are not supported.
- Any port level translation is not supported.
- The SNAT match destination address and the DNAT match source address are not supported. Use the SNAT match destination address as the destination IP address when you specify the SNAT rule. Use the DNAT match source address as the source IP address when you specify the DNAT rule. For example, if there is a destination IP address mentioned in the SNAT rule,VMware Aria Operations for Networksapplies the SNAT rule irrespective of whether the packet has the destination address as the destination IP address.
- NSX-T Edge firewall has implications for the data path when enabled with the NAT service on the same logical router. If a flow matches both NAT and Edge firewall, the NAT lookup result takes precedence over firewall. So the firewall is not applied to that flow. If the flow matches only a firewall rule, then the firewall lookup result is honored for that flow.
- Service translation is not supported.
- vSEC NAT is not supported.