Latest Posts



Translate

Total Pageviews

Tuesday, 12 May 2015

NSX Deepdive Part 8 - Configuring and Testing Network Address Translation on an NSX Edge Services Gateway

1. Configure an Additional IP Address on the Uplink Interface of Perimeter Gateway
Before creating destination NAT rules, an unused IP address on a subnet attached to the NSX Edge
services gateway must be added to the interface that faces the incoming traffic to be translated.
Adding the IP addresses to the interface enables the interface to receive the packets destined for the
added IP address on that MAC address. The primary IP address can also be used, if port translation
is also specified. However, for a 1:1 association, a new IP address is required.
1. In the left navigation pane, select NSX Edges.
2. In edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0entry that has an IP address of 192.168.100.3, and
click the pencil icon.
6. In the Edit NSX Edge Interface dialog box, select the existing 192.168.100.3 IP address and
click the pencil icon to open the Edit Subnet dialog box.
7. In the Edit Subnet dialog box, perform the following actions.
a. Click the green plus signto create a new IP address entry.
b. Enter 192.168.100.7in the new IP address text box and click OK to confirm the entry.
c. Click OK to close the Edit Subnet dialog.
8. Click OK to commit the interface changes.
9. In the interfaces list, verify that vNIC# 0 has the following two IP addresses.
• 192.168.100.3* /24
• 192.168.100.7
The asterisk (star) character to the right of the 192.168.100.3 address indicates the primary IP
address assigned to the interface. All other addresses are considered to be secondary.
2. Configure a Destination NAT Rule
A destination NAT rule can be assigned to any interface. The correct interface on which to assign
destination NAT rules is the interface that receives the network traffic to be translated, such as the
Uplink interface. A destination NAT rule translates the destination address of incoming packets prior
to forwarding/routing those packets to that translated destination. The source address of a
destination NAT rule must be allocated from a directly connected subnet, such as the subnet the
Uplink interface is attached to. The translated address can be any IP address that either exists in a
directly-connected subnet, or in a subnet known to the NSX Edge instance that is accessible through
routing capabilities (static routes and dynamic routing). This lab demonstrates translating packets to
addresses that require further routing.
1. Under the Manage tab, click NAT.
2. Above the NAT rules list, click the green plus signand select Add DNAT Rule.

3. In the Add DNAT Rule dialog box, perform the following actions.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter 192.168.100.7 in the Original IP/Range text box.
c. Enter 172.16.10.11 in the Translated IP/Range text box.
This address is the address of the web-sv-01a Web server virtual machine that is attached to
the Web-Tier logical switch network. The Web-Tier network is accessible from the
perimeter gateway through an OSPF-learned route that has a next hop of distributed router
on the transport network.
d. Select the Enabled check box.
e. Leave all other settings at the default value and click OK.

4. Above the NAT rules list, click Publish Changes.
5. Wait for the update to complete and verify that the new destination NAT rule appears in the list
with a Rule Type of USER.

3. Test Connectivity Using the Destination NAT Translation
When a connection is initiated that traverses an NSX Edge NAT rule, a mapping is created that
allows the response traffic to traverse the rule logic in the reverse direction. You can control how the
NAT rules expose servers or services based on the direction of the traffic. If a server or service is
only to be exposed to external access, through a destination NAT address, then no further NAT rules
are required. The NAT mapping ensures that response traffic from the exposed server appears as if
originating from the destination NAT address. A destination NAT rule can also translate port
numbers, allowing you to overload a single IP address to expose multiple services using different
incoming ports.

Run this command in the NSX edge Gateway to begin capturing HTTP Traffic


debug packet display interface vNic_0 port_80
1. In the Firefox window, open a new browser tab and go to http://192.168.100.7 to browse the
web-sv-01a Web server using the destination NAT address.
2. After the Web page is displayed, keep the Web server tab open and minimize the Firefox
window.
3. In the PuTTY window, determine packet addressing and verify that the following two IP
addresses are involved in the exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter.
• 192.168.100.7
This address is the destination NAT original address. For packets sent to this address, the
destination was transformed from192.168.100.7 to 172.16.10.11 before being fowarded by
NSX Edge. For response packets sent from the Web server, the source address was
translated so that the packets appear as if originating from the destination NAT address to
maintain the integrity of the client > server connection.
4. Press Ctrl+C to stop the packet capture.

4. Configure a Source NAT Rule
A source NAT rule can be assigned to any interface. The correct interface on which to assign source
NAT rules is the interface that connects to the translated network, not the interface that received the
original packet. A source NAT rule translates the source address ofa packet received by NSX Edge,
typically on an internal interface, to a specified IP address in some other subnet attached to NSX
Edge. For instance, the subnet that the uplink is attached to, which would make the packet appear as
if originating from that subnet before routing is applied. The same mappings are created when
source NAT rules are traversed so that response traffic can be received by the originating node. The
translated IP address must be added to the interface attached to the translated subnet so that the
interface can respond to ARP requests for that IP address to receive response traffic. Source NAT
rules can oftentimes be used to shape outbound traffic. By doing so, outbound traffic is sent to an
appropriate next hop or is able to traverse upstream firewall rules that do not block the translated
subnet but may block the original source subnet.
1. Above the NAT rules list, click the green plus signand select Add SNAT Rule.
2. In the Add SNAT Rule dialog box, perform the following actions.
a. Select Uplink-Interface from the Applied On drop-down menu.
b. Enter 172.16.10.11 in the Original Source IP/Range text box.
This address is the address of the web-sv-01a Web server virtual machine on the Web-Tier
network.
c. Enter 192.168.100.7 in the Translated Source IP/Range text box.
This address is the translated source IP address.
d. Select the Enabled check box.
e. Leave all other fields at the default value and click OK.

r
3. Above the NAT rules list, click Publish Changes.

 5. Test Connectivity Using the Source NAT Translation
Packets sent from the web-sv-01a Web server virtual machine now appear asoriginating from the
192.168.100.0/24 external subnet.

Run this command in the NSX edge Gateway to begin capturing ICMP Packets
debug packet display interface vNic_0 icmp
1. In the Firefox window, select the web-sv-01a console tab.
2. At the web-sv-01a command prompt, run the following command to ping the ControlCenter
system.
ping 192.168.110.10
3. After at least one ICMP request and reply have been reported, press Ctrl+C to stop the ping
command.
4. Press Ctrl+Alt to release the mouse cursor and minimize the Firefox window.
5. In the PuTTY window, determine source and destination addressing, and verify that the
following two IP addresses are involved in the ICMP exchange.
• 192.168.110.10
This address is the IP address of the ControlCenter.
• 192.168.100.7
This address is the translated IP address ofthe web-sv-01a Web server virtual machine.
6. Press Ctrl+C to stop the packet capture.
7. Restore the Firefox window and click the vSphere Web Client tab.