VMware Aria Operations for Networks 6.14

6.14 6.13 6.12 6.11 6.10
简体中文 Deutsch Español Français 日本語 한국어 繁體中文 English

Network Address Translation (NAT)

VMware Aria Operations for Networks
 supports Static NAT (SNAT), Dynamic NAT (DNAT), reflexive rules in the flows, and the VM-VM Path for NSX-V, NSX-T Edges, Fortinet, and Check Point.
The NAT flow support in
VMware Aria Operations for Networks
 is as follows:
  • VMware Aria Operations for Networks
     supports the nested NAT hierarchy for NSX for vSphere and NSX-T, and for physical devices,
    VMware Aria Operations for Networks
     supports the single hierarchy (DNAT) for Fortinet only.
  • VMware Aria Operations for Networks
     supports the edges and the tier routers with NAT-defined uplinks.
    The NAT rules on the NSX Edge version 5.5 or the previous versions are not supported.
  • VMware Aria Operations for Networks
     supports SNAT rules with range. However, DNAT must be one-to-one mapping between the destination and translated IP addresses (Parity with NSX for vSphere).
  • For Check Point, NAT rules both auto or manually generated are supported for both the source and the destination as network, network-group, or address-range.

Queries

To view NAT rules, use the following queries:
  • To view all the NAT rules in NSX-T, use the
    NSX-T Edge NAT Rule
     query.
  • To view all the NAT rules NSX-V, use the
    Edge NAT Rules
     query.
  • To view all the NAT rules in Fortinet, use the
    Fortinet NAT Rule
     query.
  • To view all the NAT rules in Check Point, use the
    Check Point NAT Rule
     query.
  • To view all the NAT rules, use the
    NAT Rule
     query.

Consideration

  • VMware Aria Operations for Networks
     does not support the following use cases:
    • In NSX-T, NAT rules can be applied at the service level. For example, in NSX-T, L4 ports set is a type of service and the associated protocols can be TCP or UDP. So in the VM-VM path, the service level details are not supported.
    • Any port level translation is not supported.
    • The SNAT match destination address and the DNAT match source address are not supported. Use the SNAT match destination address as the destination IP address when you specify the SNAT rule. Use the DNAT match source address as the source IP address when you specify the DNAT rule. For example, if there is a destination IP address mentioned in the SNAT rule,
      VMware Aria Operations for Networks
       applies the SNAT rule irrespective of whether the packet has the destination address as the destination IP address.
    • NSX-T Edge firewall has implications for the data path when enabled with the NAT service on the same logical router. If a flow matches both NAT and Edge firewall, the NAT lookup result takes precedence over firewall. So the firewall is not applied to that flow. If the flow matches only a firewall rule, then the firewall lookup result is honored for that flow.
    • Service translation is not supported.
    • vSEC NAT is not supported.

Content feedback and comments