You can create a source NAT (SNAT) or rule to change the source IP address from a public to private IP address or the reverse. You can create a destination NAT (DNAT) rule to change the destination IP address from a public to private IP address or the reverse.

When creating NAT rules, you can specify the original and translated IP addresses by using the following formats:

IP address; for example, 192.0.2.0

IP address range; for example, 192.0.2.0-192.0.2.24

IP address/subnet mask; for example, 192.0.2.0/24

any

The translated (public) IP address must have been added to the edge gateway interface on which you want to add the rule.

1

Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See Log In and Navigate to Advanced Networking Services for information.

2

Click the SSL VPN-Plus tab and NAT.

3

Click the Add (add icon) icon and choose one of the following options:

Option

Description

Add DNAT Rule

A DNAT rule changes the destination IP address and, optionally, port of inbound packets.

Add SNAT Rule

An SNAT rule changes the source IP address and, optionally, port of outgoing packets.

4

Select the interface on which to apply the rule.

5

Depending on which type of NAT rule you are creating, complete the following options:

Destination NAT (DNAT) (outside -> inside)

Option

Description

Original IP/Range

Specifies the destination IP address to which the rule applies; this address is always the public IP address of the edge gateway for which you are configuring the DNAT rule. Type the required IP address.

Protocol

Select the protocol to which the rule applies.

Original Port/Range

(Optional) Select the port or port range that the incoming traffic uses on the edge gateway to connect to the internal network on which the virtual machines are connected.

ICMP Type

When you select ICMP (an error reporting and a diagnostic utility used between devices to communicate error information) in the Protocol field, select the ICMP Type from the drop-down menu. ICMP messages are identified by the “type” field. By default, the ICMP type is set to “any.”

Translated IP/Range

Type the IP address or a range of IP addresses to which destination addresses on inbound packets will be translated.

These addresses are the IP addresses of the virtual machine (or machines) for which you are configuring DNAT so that they can receive traffic from the external network.

Translated Port/Range

(Optional) Select the port or port range that traffic connects to on the virtual machines on the internal network.

Source NAT (SNAT) (inside -> outside)

Option

Description

Original Source IP/Range

Type the original IP address or range of IP addresses to apply to this rule.

These addresses are the IP addresses of the virtual machine (or machines) for which you are configuring SNAT so that they can send traffic to the external network.

Translated Source IP/Range

Type the required IP address. Specifies the IP address to which source addresses (the virtual machines) on outbound packets are translated to when they send traffic to the external network.

This address is always the public IP address of the gateway for which you are configuring the SNAT rule.

6

(Optional) Type a description for the rule.

7

Select Enabled to enable the rule.

8

Select Enable logging to log the address translation.

9

Click OK to save the rule.

Add a corresponding edge gateway firewall rule for the SNAT or DNAT rule you just configured. See Add an Edge Gateway Firewall Rule.