Basic NAT and Firewall configuration - NSX-T

In order to connect your VDC to the outside world, you'll need to configure the NAT and Firewall within your NSX-T edge gateway. To change the source IP address from a private to a public IP address, you create a source NAT (SNAT) rule. To change the destination IP address from a public to a private IP address, you create a destination NAT (DNAT) rule.

In this article, We’ll cover the configuration of the edge to connect a custom network to the internet and configure inbound SSH access on a custom port: 223/TCP.

1 Accessing the Edge
2 IP Sets & Static Groups
3 NAT
- 3.1 SNAT
- 3.2 DNAT
4 Firewall
- 4.1 External Access
- 4.2 Custom SSH Inbound
5 NAT Rule priority

Before you begin, please ensure you have created a network to include as part of your NAT and Firewall configuration. Please refer to our network creation guide for instructions on how to setup a routed network in vCloud. Configuring a Network using the vCloud Director Portal

For this example, we’ll be using an Org_Network of 192.168.10.0/24 and an External IP of 203.23.220.50

Accessing the Edge

There are two methods of accessing your NSX-T edge.
1. Under ‘Data Centers’ while browsing your VDC, select 'Edges' under the Networking dropdown on the left hand side. Then click on your DC_XXXXXX to open NSX-T.

2. Navigate to the Networking page from the top menu, then select 'Edge Gateways'. Click on the VDC edge for the DC you wish to edit.

IP Sets & Static Groups

New to NSX-T, IP Sets and Static Groups allow the grouping of IP addresses in Firewall rules allowing for a more human-readable Firewall table. You can manage and configure them under Security -> IP Sets.

IP Sets allow you to group multiple IP ranges, CIDR’s or specific IP’s together for use in your Firewall rules.
When creating an IP Set you’ll need to provide

IP Set Name
Short Description
A list of IPv4 single IPs, ranges or CIDR’s

Static Groups allow you to group multiple VDC Networks.

Once you create a group with a name and short description, you can manage the members of this group by selecting from the existing VDC networks.

For our example, we’ll create an ‘Internal Network’ group and our Org_VDC Network to this group

NAT

As part of this setup, we’ll configure an SNAT rule to allow outbound traffic and a DNAT rule to route our custom SSH traffic through to the VM.

You can create SNAT and DNAT rules by navigating to NAT under Services and select ‘New’

SNAT

For SNAT rules, you’ll need to provide the following:

Name
Short Description
Interface Type
External IP / CIDR
Internal IP / CIDR

For our example, we’ll configure an outbound rule for just this network’s subnet

DNAT

For DNAT rules, you’ll need to provide the following:

Name
Short Description
Interface Type
External IP / CIDR
Internal IP / CIDR

We’ll also use the Application to specify this is being translated to the traditional SSH port on the internal network

Firewall

The last step of our configuration it to setup Firewall rules to allow outbound traffic from our internal network and allow an inbound connection to our SSH service.

Click on ‘Edit Rules’ on the Firewall page to begin adding new rules to the edge Firewall

You can click ‘New On Top’ or ‘New Above’ (after selecting an existing rule) to start adding rules to the Firewall

External Access

First rule we’ll create will allow all traffic on our Org-VDC network out to the Internet.

Specify the Source as the ‘Internal Network’ Static Group we set up earlier:

And the destination will be ANY:

Once you’ve finished editing, hit save in the bottom right corner.

Your VM’s should now be able to get out to the Internet on your Org-VDC network

Custom SSH Inbound

Lets setup a firewall rule to allow SSH access from external to TCP/223. In this example I’ve created an additional IP Set for a ‘Perth Office’ range.

The Application in the Firewall applies to the Source. The Destination port is controlled by the corresponding NAT rule.

Select the source as our ‘Perth Office’ IP Set

With the destination as our 'Internal Network' Static Group

Once saved, you will now be able to SSH on port 223.

Links to related guides

NAT Rule priority

If an address has multiple NAT rules, the rule with the highest priority is applied. A lower value means a higher precedence for this rule.