Skip to content

NCD – Configuring NAT Rules


NAT rules can be configured for vDC networks and vApp networks.

Note: NAT options differ between vDC and vApp networks.

Configuring NAT Rules for a vDC Network

  1. Click NAT in the "Network Services" section of the appropriate vDataCenter detail page. The "NAT" section displays the current status of any existing NAT rules defined for the vDC network.

  2. Click the "gear" icon in the upper right corner of the "NAT" section to display the NAT page.


  3. To enable NAT for the vDC network, select the "Enabled" checkbox at the top of the NAT page.

  4. To add a NAT rule, click +Add NAT Rule. To edit an existing NAT rule, click the "gear" icon in the "Rules" list corresponding to the rule to be edited. The Add/Edit NAT Rule page appears.


  5. To enable the NAT rule, select the "Enabled" checkbox. When adding a new NAT rule, this checkbox is selected by default.

  6. In the "Type" field, select the Destination radio button to create a DNAT rule, or the Source radio button to create an SNAT rule. A DNAT rule translates an external IP address to an internal IP address for inbound traffic. An SNAT rule translates an internal IP address to an external IP address for outbound traffic.

  7. For a new DNAT rule, select a protocol to which the rule applies from the "Protocol" drop-down menu. Available options include TCP, UDP, TCP & UDP, ICMP, and Any.

  8. From the "Applied On" drop-down menu, select the vDC network on which the NAT rule is to be applied.

  9. In the "Original IP" field, enter or select the original IP address or range of IP addresses for which the NAT rule is to apply.

    For an SNAT rule, specify the IP addresses of the VM(s) for which the NAT rule is being configured so that they can send traffic to the external network.

    For a DNAT rule, specify the public IP address of the gateway for which the NAT rule is being configured. The following notations and values are valid for the "Original IP" field:

    • A single IP address (example: 192.168.0.1)

    • A network in CIDR notation (example: 192.168.0.0/24)

    • A range of IPs (example: 192.168.0.1-192.168.0.50)

  10. For a new DNAT rule, enter or select an original port or range of ports for the rule in the "Original Port" field. Specify the port(s) used by incoming traffic on the gateway to connect to the internal network. The following notations and values are valid for the "Original Port" field:

    • A port number (an integer from 1-65535)

      • Select FTP from the drop-down menu to select port 21

      • Select SSH from the drop-down menu to select port 22

      • Select HTTP from the drop down menu to select port 80

      • Select HTTPS from the drop-down menu to select port 443

    • A range of port numbers separated by a dash

    • "Any" or "-1" (equivalent values)

  11. In the "Translated IP" field, enter or select the translated IP address or range of IP addresses for which the NAT rule is to apply.

    For an SNAT rule, specify the IP address to which the VM source addresses for outbound packets are to be translated when they send traffic to the external network.

    For a DNAT rule, specify the IP address or range of IP addresses of the VMs for which the rule is being configured so that they can receive traffic from the external network. The following notations and values are valid for the "Translated IP" field:

    • A single IP address (example: 192.168.0.1)

    • A network in CIDR notation (example: 192.168.0.0/24)

    • A range of IPs (example: 192.168.0.1-192.168.0.50)

  12. For a new DNAT rule, enter or select the destination port or range of ports for the rule in the "Translated Port" field. Specify the port(s) to which traffic is to connect on the internal network. The following notations and values are valid for the "Translated Port" field:

    • A port number (an integer from 1-65535)

      • Select FTP from the drop-down menu to select port 21

      • Select SSH from the drop-down menu to select port 22

      • Select HTTP from the drop down menu to select port 80

      • Select HTTPS from the drop-down menu to select port 443

    • A range of port numbers separated by a dash

    • "Any" or "-1" (equivalent values)

  13. Click Add/Update NAT Rule to add or edit the rule, or Cancel to cancel your changes.

  14. At the NAT page, click Save to save the NAT rules, or Cancel to cancel the operation.

Reordering vDC NAT Rules

The NAT page "NAT Rules" list displays existing NAT rules in order of precedence, from top (highest precedence) to bottom (lowest precedence). The list order determines the rule that is enforced when two rules conflict.

To reorder NAT rules:
  1. For the NAT rule to moved, select, drag, and drop the "Move" column icon to the desired position in the "NAT Rules" list.

  2. Click Save to rearrange the NAT rules.

Deleting vDC NAT Rules

To delete an existing NAT rule for a vDC network:
  1. In the NAT page "NAT Rules" list, click Delete in the row corresponding to the rule to be deleted.

  2. Click Save to save the NAT rules, or Cancel to cancel the operation.

Configuring NAT for a vApp Network

  1. Click Networks in the "Children" section of the appropriate vApp detail page.

  2. In the "Networks" list, click the name of the desired vApp network. The vApp Network page appears.

  3. Click NAT in the "Services" section of the vApp Network page. The "NAT" section displays the current status of any existing NAT rules defined for the vApp network.

  4. Click the "gear" icon in the upper right corner of the "NAT" section to display the NAT page.


  5. To enable NAT for the vApp network, select the "Enabled" checkbox at the top of the NAT page.

  6. Select the IP Translation or Port Forwarding "NAT Type" radio button, as desired.

  7. Notes: Selecting a "NAT Type" value deletes any existing NAT rules of the other type.

    Note also that different fields are available at the Add/Edit NAT Rule page (see below) depending on the "NAT Type" selection.

  8. Add or edit IP Translation or Port Forwarding NAT rules as detailed in the corresponding section below.

Adding/Editing IP Translation NAT Rules for a vApp Network

  1. To add a NAT rule, click +Add NAT Rule. To edit an existing NAT rule, click the "gear" icon in the "NAT Rules" list corresponding to the rule to be edited. The Add/Edit NAT Rule page appears.


  2. In the "Mapping Mode" field, select the automatic radio button to automatically map the VM interface to an available Edge Gateway external IP address. Select the manual radio button to map the VM interface to a specified IP address using the "External IP" field.

  3. From the "VM Interface" drop-down menu, select the VM interface to which the NAT rule is to apply.

  4. If the manual mapping mode is selected, enter the IP address to which the VM interface is to be mapped in the "External IP" field.

  5. Click Add/Update NAT Rule to add or edit the rule, or Cancel to cancel your changes.

  6. At the NAT page, click Save to save the NAT rules, or Cancel to cancel the operation.

Adding/Editing Port Forwarding NAT Rules for a vApp Network

  1. To enable IP masquerade, select the "Enable IP Masquerade" checkbox. This checkbox appears when Port Forwarding is selected for the "NAT Type" on the NAT page.

    Enabling IP masquerade for a vApp network hides the internal IP addresses of its VMs from the vDC network, and translates these addresses to a public IP address for outbound traffic.

  2. To add a NAT rule, click +Add NAT Rule. To edit an existing NAT rule, click the "gear" icon in the "NAT Rules" list corresponding to the rule to be edited. The Add/Edit NAT Rule page appears.


  3. From the "VM Interface" drop-down menu, select the VM interface to which the NAT rule is to apply.

  4. From the "Protocol" drop-down menu, select a protocol to which the rule applies. Available options include TCP, UDP, and TCP & UDP.

  5. In the "External Port" field, enter or select an external port value for the NAT rule. The following notations and values are valid for the "External Port" field:

    • A port number (an integer from 1-65535)

      • Select FTP from the drop-down menu to select port 21

      • Select SSH from the drop-down menu to select port 22

      • Select HTTP from the drop down menu to select port 80

    • "Any" or "-1" (equivalent values)

  6. In the "Forward to Port" field, enter or select a port to which traffic is to be forwarded. The following notations and values are valid for the "Forward to Port" field:

    • A port number (an integer from 1-65535)

      • Select FTP from the drop-down menu to select port 21

      • Select SSH from the drop-down menu to select port 22

      • Select HTTP from the drop down menu to select port 80

    • "Any" or "-1" (equivalent values)

  7. Click Add/Update NAT Rule to add or edit the rule, or Cancel to cancel your changes.

  8. At the NAT page, click Save to save the NAT rules, or Cancel to cancel the operation.

Reordering vApp NAT Rules

The "NAT Rules" list on the NAT page displays existing NAT rules in order of precedence, from top (highest precedence) to bottom (lowest precedence). The list order determines the rule that is enforced when two rules conflict.

To reorder NAT rules:
  1. For the NAT rule to moved, select, drag, and drop the "Move" column icon to the desired position in the "NAT Rules" list.

  2. Click Save to rearrange the NAT rules.

Deleting vApp NAT Rules

To delete an existing NAT rule for a vApp network:
  1. In the NAT page "NAT Rules" list, click Delete in the row corresponding to the rule to be deleted.

  2. Click Save to save the NAT rules, or Cancel to cancel the operation.

What is a NAT?
What are NAT rules?
NAT rule original and translated IP notation

Related vCD Documents

  • Add a Port Forwarding Rule to a vApp Network
  • Add an IP Translation Rule to a vApp Network
  • Reorder Port Forwarding Rules for a vApp Network

  • Feedback and Knowledge Base