After a short break, we return to NSX. Today I will show you how to configure NAT and Firewall.
The tab Administration go to your virtual data center - Cloud Resources - Virtual Datacenters.
Select a tab Edge gateways and right-click on the desired NSX Edge. In the menu that appears, select the option Edge Gateway Services. The NSX Edge control panel will open in a separate tab.
Configuring Firewall Rules
By default in paragraph default rule for ingress traffic the Deny option is selected, i.e. the Firewall will block all traffic.
To add a new rule, click +. A new entry will appear with the title new rule. Edit its fields according to your requirements.
In the Name specify a name for the rule, such as Internet.
In the Source enter the required source addresses. By clicking the IP button, you can set a single IP address, a range of IP addresses, CIDR.
By clicking the + button, you can set other objects:
- Gateway interfaces. All internal networks (Internal), all external networks (External), or Any.
- virtual machines. We bind the rules to a specific virtual machine.
- OrgVdcNetworks. Organization level networks.
- IP Sets. A group of IP addresses previously created by the user (created in the Grouping object).
In the Destination enter the recipient's address. Here are the same options as in the Source field.
In the Service you can select or manually specify the destination port (Destination Port), the required protocol (Protocol), the sender port (Source Port). Click Keep.
In the Action select the required action: allow the passage of traffic that matches this rule, or deny it.
Apply the entered configuration by selecting the item Save changes.
Rule Examples
Rule 1 for Firewall (Internet) allows access to the Internet by any protocol to the server with IP 192.168.1.10.
Rule 2 for Firewall (Web server) allows access from the Internet via (TCP protocol, port 80) through your external address. In this case, 185.148.83.16:80.
NAT setup
NAT (Network Address Translation) - translation of private (gray) IP addresses to external (white), and vice versa. Through this process, the virtual machine gains access to the Internet. To configure this mechanism, you need to configure SNAT and DNAT rules.
Important! NAT works only when the Firewall is enabled and the appropriate permission rules are configured.
Create a SNAT rule. SNAT (Source Network Address Translation) is a mechanism, the essence of which is to replace the source address when forwarding a packet.
First we need to find out the external IP address or range of IP addresses available to us. To do this, go to the section Administration and double click on the virtual data center. In the settings menu that appears, go to the tab edge gateways. Select the desired NSX Edge and right-click on it. Choose an option Properties.
In the window that appears, in the tab Sub-Allocate IP Pools you can view the external IP address or range of IP addresses. Write it down or memorize it.
Next click on NSX Edge with the right mouse button. In the menu that appears, select the option Edge Gateway Services. And we are back in the NSX Edge control panel.
In the window that appears, open the NAT tab and click Add SNAT.
In a new window, specify:
- in the Applied on field - an external network (not an organization level network!);
- Original Source IP/range β internal address range, for example, 192.168.1.0/24;
- Translated Source IP / range - the external address through which the Internet will be accessed and which you looked at in the Sub-Allocate IP Pools tab.
Click Keep.
Create a DNAT rule. DNAT is a mechanism that changes the destination address of a packet as well as the destination port. Used to forward incoming packets from an external address/port to a private IP address/port within a private network.
Select the NAT tab and click Add DNAT.
In the window that appears, specify:
- in the Applied on field - an external network (not an organization-level network!);
β Original IP/rangeβexternal address (address from the Sub-Allocate IP Pools tab);
β Protocolβprotocol;
β Original Portβport for external address;
- Translated IP/range - internal IP address, for example, 192.168.1.10
β Translated Port β port for the internal address to which the port of the external address will be translated.
Click Keep.
Apply the entered configuration by selecting the item Save changes.
Done.
Next in line is DHCP instructions, including configuring DHCP Bindings and Relay.
Source: habr.com