Troubleshoot Network Address Translation (NAT) service issues in NSX

 
To troubleshoot NAT issues, you will first want to ensure the configuration is correct. You can either navigate to Networking & Security -> NSX Edges -> and double click the edge device that is performing the NAT, then navigate to Manage -> NAT.
 
3
 
You can also view more detailed information, which includes packet information by logging into the Edge device via SSH and running the following command.
 

vShield-edge-3-0> show nat
Use of uninitialized value $chain in concatenation (.) or string at /opt/vmware/vshield/cli/ptrace.pl line 121.
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
rid    pkts bytes target     prot opt in     out     source               destination
0         1    78 int_dnat   all  --  *      *       0.0.0.0/0            0.0.0.0/0
0         1    78 usr_dnat   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
rid    pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 56 packets, 3640 bytes)
rid    pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 56 packets, 3640 bytes)
rid    pkts bytes target     prot opt in     out     source               destination
0        56  3640 int_snat   all  --  *      *       0.0.0.0/0            0.0.0.0/0
0        56  3640 usr_snat   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain int_dnat (1 references)
rid    pkts bytes target     prot opt in     out     source               destination

Chain int_snat (1 references)
rid    pkts bytes target     prot opt in     out     source               destination
0         0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec mode tunnel

Chain usr_dnat (1 references)
rid    pkts bytes target     prot opt in     out     source               destination
0         0     0 LOG        all  --  vNic_0 *       0.0.0.0/0            192.168.18.50        LOG flags 0 level 4 prefix "DNAT_"
0         0     0 DNAT       all  --  vNic_0 *       0.0.0.0/0            192.168.18.50        to:172.16.10.50

Chain usr_snat (1 references)
rid    pkts bytes target     prot opt in     out     source               destination
0         0     0 LOG        all  --  *      vNic_0  172.16.10.50         0.0.0.0/0            LOG flags 0 level 4 prefix "SNAT_"
0         0     0 SNAT       all  --  *      vNic_0  172.16.10.50         0.0.0.0/0            to:192.168.10.50

 
You can also view the rules by running the following command. As you can see, I have two rules, one is a DNAT and one is a SNAT.
 

vShield Edge NAT Config:
{
   "dnat" : [
      {
         "protocol" : "any",
         "internalIp" : "172.16.10.50",
         "externalPort" : "any",
         "comments" : "",
         "ruleId" : 196611,
         "icmpType" : null,
         "internalPort" : "any",
         "logging" : {
            "enable" : true,
            "logLevel" : null
         },
         "interface" : "vNic_0",
         "externalIp" : "192.168.18.50"
      }
   ],
   "snat" : [
      {
         "protocol" : "any",
         "internalIp" : "172.16.10.50",
         "externalPort" : "any",
         "comments" : "",
         "ruleId" : 196612,
         "icmpType" : null,
         "internalPort" : "any",
         "logging" : {
            "enable" : true,
            "logLevel" : null
         },
         "interface" : "vNic_0",
         "externalIp" : "192.168.10.50"
      }
   ]
}

 
If your rule looks correct, there could be some type of firewall that is blocking this. You can always run packet capture commands to see if the rules are being translated on the interface. To run a packet capture, run the command below. You should see something similar. It will dump all of the traffic and you can look for your NAT IPs to see if it’s working correctly.
 

vShield-edge-3-0> debug packet display interface vNic_0
tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:05:44.649379 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807552:22807732, ack 107745, win 3165, length 180
19:05:44.649471 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807732:22807912, ack 107745, win 3165, length 180
19:05:44.649506 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807912:22808092, ack 107745, win 3165, length 180
19:05:44.649575 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22808092:22808272, ack 107745, win 3165, length 180
19:05:44.649681 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22808272:22808452, ack 107745, win 3165, length 180

 
Finally, you can enable logging by navigating to Networking & Security -> NSX Edges -> and double click the Edge device with the NAT. From there select Manage -> NAT, edit the rule, and ensure that Enable logging is configured.
 
4
 
Then you can run the command at the bottom to view the logging information, here you can see my NAT rules changing and being defined.
 

vShield-edge-3-0> show log
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: FEATURE_MGR ::   snat changed
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: FEATURE_MGR :: collect output of snat...
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: FEATURE_MGR ::   dnat changed
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: FEATURE_MGR :: collect output of dnat...
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: RESOURCE_MGR :: loaded resource data from /var/db/vmware/vshield/vse_two/resource_save.psf
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: RESOURCE_MGR :: ========================= RESOURCE MGR =========================
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: RESOURCE_MGR ::    nat changed
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: RESOURCE_MGR ::      snat->nat:add_u_snat
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: RESOURCE_MGR ::      dnat->nat:add_u_dnat
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: R_NAT :: snat:add_u_snat: add 1 rules
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: R_NAT :: dnat:add_u_dnat: add 1 rules
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: R_NAT :: created 1 user_defined dnat rules
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: R_NAT :: created 1 user_defined snat rules
2015-05-27T18:40:19+00:00 vShield-edge-3-0 config:  [daemon.info] INFO :: R_NAT :: created 0 loadbalancer snat rules

 

1 Comment

  1. Mauricio Harley -  November 16, 2015 - 12:06 pm 339

    What is the command related to the second gray block? Would it be “show configuration nat”?

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top