NSX-T NAT Rules

NAT (Network Address Translation) is a service that translates from private to public IP addresses. NSX-T NAT rules are completely synchronized with the vCloud, so regardless of the side from where you are updating the rules, all updates are visible on your OnApp Control Panel.

You can configure source NAT (SNAT), destination NAT (DNAT), NO SNAT, and NO DNAT rules on your NSX-T edge gateways.

  • A SNAT rule translates the source IP address of packets sent from an organization VDC network out to an external network or another organization VDC network.
  • A NO SNAT rule prevents the translation of the internal IP address of packets sent from an organization VDC out to an external network or another organization VDC network.
  • A DNAT rule translates the IP address and, optionally, the port of packets received by an organization VDC network that are coming from an external network or another organization VDC network.
  • A NO DNAT rule prevents the translation of the external IP address of packets received by an organization VDC from an external network or another organization VDC network.

On this page:


Create NAT Rule


To add a new NAT rule for NSX-T integration:

  1. Go to your Control Panel > Cloud > Edge Gateways NSX-T > NSX-T edge gateway's label > NAT tab and then click .
  2. On the page that appears specify the following parameters:
    For DNAT or NO DNAT rules:
    • Label - enter the name for a rule
    • Description - add description if any
    • Application - if you are creating a DNAT rule, select a specific application port profile to which to apply the rule. The application port profile includes a port and a protocol that the incoming traffic uses on the NSX-T edge gateway to connect to the internal network. To select none application, pick Any from the drop down list.
    • State - move the slider to the right to enable the rule upon creation
    • Type - specify type of the rule, DNAT or NO DNAT
    • External IP - enter the public IP address of the NSX-T edge gateway for which you are configuring the DNAT rule. The IP addresses that you enter must belong to the sub allocated IP range of the edge gateway; can be only IPv4 or CIDR
    • Internal IP - if you are creating a DNAT rule, enter the IP address or a range of IP addresses of the virtual server for which you are configuring DNAT so that they can receive traffic from the external network; can be only IPv4 or CIDR
    • Internal Port  - enter a port into which the rule is translating for the packets inbound to the virtual servers
    • Logging - move the slider to the right to have the address translation performed by this rule logged

          For SNAT or NO SNAT rules:

    • Label - enter the name for a rule
    • Description - add description if any
    • State - move the slider to the right to enable the rule upon creation
    • Type - select SNAT or NO SNAT
    • External IP - if you are creating a SNAT rule, enter the public IP address of the edge gateway for which you are configuring the SNAT rule. The IP addresses that you enter must belong to the sub allocated IP range of the edge gateway; can be only IPv4 or CIDR
    • Internal IP - enter the IP address or a range of IP addresses of the virtual servers for which you are configuring the rule so that they can send traffic to the external network; can be only IPv4 or CIDR
    • Destination IP - if you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this field blank, the SNAT rule applies to all destinations outside of the local subnet
    • Logging - move the slider to the right to have the address translation performed by this rule logged

        4. Click Save to save the changes.


Delete NAT Rule


  1. Go to your Control Panel > Cloud > Edge Gateways > NSX-T > NSX-T edge gateway's label > NAT tab.
  2. On the page that appears, select the rules to be deleted from the list of NAT rules and then click  above the table.