Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring SNAT and DNAT for VMware vCloud Hybrid Service through VMware vCloud Director (2051351)

Purpose

This article provides steps to set up Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT) within the Edge Gateway in VMware vCloud Hybrid Service.
 
Note: If SNAT and DNAT are not configured or if they are configured incorrectly, internet connectivity in and out of the vCHS environment cannot function.

Resolution

To navigate to the configuration screen for the vShield Edge Gateway within vCloud Director:
  1. Log in to the vCloud Director interface as an Organization Administrator.
  2. Click Administration in the top menu.
  3. Click Virtual Datacenters in the Administration pane to the left.
  4. Click the Virtual Datacenter name in the pane on the right.
  5. The pane on the right has a row of tabs along the top. Click the Edge Gateways tab.
  6. In the list of Edge Gateways, click one to select it.
  7. Right-click the Edge Gateway and click Edge Gateway Services.
  8. Click the NAT tab.
An SNAT rule controls traffic originating from within vCloud Hybrid Service and bound for the open Internet. It is important to configure at least one SNAT rule if Internet connectivity is required.
 
To configure the SNAT rule:
  1. Click Add SNAT.
  2. Select the external network from the Applied On dropdown menu.

    Note: External networks often have ext in their name. If you are unsure which is the external network, file a Support Request with VMware support and reference this KB. For more information, see Filing a Support Request in My VMware (2006985).

  3. Enter the source IP. The original source IP/range is typically the internal subnet to which the virtual machines are attached. The configuration supports CIDR notation for the entire subnet (for example, 192.168.0.0/24).
  4. Enter the translated IP address. The translated IP address corresponds with one of the public IP addresses assigned to your vCloud Hybrid Service environment.
  5. Select Enabled.
  6. Click OK to save the rule.
Configuring DNAT rules is very similar to SNAT rules. DNAT rules control allowing new traffic into the vCloud Hybrid Service environment from the outside.
 
To configure a DNAT rule:
  1. Click Add DNAT.
  2. Select the external network from the Applied On dropdown menu.
  3. Enter the public IP address in the Original IP/range field. If multiple public IPs are assigned on the edge, choose the one or range the NAT rule should affect.
  4. Choose the appropriate protocol for the use case from the Protocol dropdown.
  5. Use the dropdown or enter a custom port number into the Original Port field.

    Note: The original port is where the traffic was originally destined.

  6. In the Translated IP/range field, enter the private IP of the virtual machine that should receive the traffic.
  7. Select or enter the port number on the virtual machine that should be listening for the traffic. In many cases this is the same port as in Step 5.
  8. Ensure that Enabled is checked.
  9. Click OK to save the rule.

When finished setting up both SNAT and DNAT rules, click OK to initiate the changes on the vShield Edge Gateway.

Impact/Risks

If the vShield Edge Gateway firewall is disabled, SNAT and/or DNAT rules may create a security hole within the environment. Enable the rules judiciously. Poorly-formed DNAT rules, because they allow unsolicited traffic from the outside to the inside, are potentially more harmful than SNAT rules.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 2 Ratings
Actions
KB: