This post is part of a series, other related posts are:
- 26 Mar 2015 - Site to Site IPSEC VPN between NSX Edge and Linux strongSwan: The following post will show how to configure a L3 VPN between VMware NSX Edge and a Linux box with strongSwan.
- 10 Feb 2015 - VXLAN on VMware NSX: VTEP, proxy, Unicast/Multicast/Hybrid mode: Virtual Extensible LAN (VXLAN) is a network which help to build an overlay network and it's the base of network virtualization. In simple words, VXLAN encapsulates Ethernet frames on a UDP routable packet. With VXLAN a single L2 segment can span L3 boundaries. Moreover VXLAN overcomes VLAN limits: 802.1q standard define a maximum of 4094 VLANs, VXLAN define a maximum of 2^24 VNIs (VXLAN Network Identifier).
- 19 Jan 2015 - Configuring NAT and firewall on a NSX Edge Router: In this post we'll see how to configure NAT and firewall policies on a NSX Edge Router.
- 19 Jan 2015 - Configuring a load balancer with VMware NSX: In this post we'll see how to configure a load balancer on a NSX Edge Router.
- 15 Jan 2015 - Connecting Edge Router to physical LAN using VMware NSX: In this post we'll see how to connect an Edge Router to a physical LAN.
In this post we'll see how to configure NAT and firewall policies on a NSX Edge Router.
On a previous post the edge router has been connected to external network:
In this post NAT and Firewall will be configured to allow SSH access to VM1 from external networks.
Go to “Networking & Security -> NSX Edges”, double click on the edge router and follow “Manage -> NAT”. Add a DNAT role so the VM1’s IP address (172.31.31.11 port 22) can be reached using the Edge router gateway address (172.31.30.21 port 2220):
Publish changes and go to the “Firewall” tab. Add a role to allow traffic from “any” to 2220 port:
The rule is pretty “large” but it’s out of scope.
Now a SSH to the IP address of the edge router using port 2220 will connect to one of the internal VMs.
Internal VMs must be able to connect to external networks using the edge public IP address. So go back to the “NAT” tab and add a new rule:
Now connect to the internal VM from an external network, and ping back an external IP address:
client$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 2220 email@example.com firstname.lastname@example.org's password: ubuntu@ubuntu1:~$ ping -c3 172.31.30.1 PING 172.31.30.1 (172.31.30.1) 56(84) bytes of data. 64 bytes from 172.31.30.1: icmp_seq=1 ttl=62 time=0.601 ms 64 bytes from 172.31.30.1: icmp_seq=2 ttl=62 time=0.670 ms 64 bytes from 172.31.30.1: icmp_seq=3 ttl=62 time=0.642 ms --- 172.31.30.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2005ms rtt min/avg/max/mdev = 0.601/0.637/0.670/0.040 ms