Configuring NAT and firewall on a NSX Edge Router

In this post we’ll see how to configure NAT and firewall policies on a NSX Edge Router.


On a previous post the edge router has been connected to external network:

NSX OSPF Topology

In this post NAT and Firewall will be configured to allow SSH access to VM1 from external networks.

Go to “Networking & Security -> NSX Edges”, double click on the edge router and follow “Manage -> NAT”. Add a DNAT role so the VM1’s IP address ( port 22) can be reached using the Edge router gateway address ( port 2220):

Edit DNAT rule

Publish changes and go to the “Firewall” tab. Add a role to allow traffic from “any” to 2220 port:

Manage Firewall

The rule is pretty “large” but it’s out of scope.

Now a SSH to the IP address of the edge router using port 2220 will connect to one of the internal VMs.

Internal VMs must be able to connect to external networks using the edge public IP address. So go back to the “NAT” tab and add a new rule:

Edit SNAT rule

Now connect to the internal VM from an external network, and ping back an external IP address:

client$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 2220 ubuntu@
ubuntu@'s password:
ubuntu@ubuntu1:~$ ping -c3
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=62 time=0.601 ms
64 bytes from icmp_seq=2 ttl=62 time=0.670 ms
64 bytes from icmp_seq=3 ttl=62 time=0.642 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.601/0.637/0.670/0.040 ms