top of page

NSX-T 3.2 Home lab Setup-Part4 [Deploying Gateway NAT and Firewall services]

This is going to be a short post, and the last post in the "NSX-T 3.2 Home lab setup" series. In this post, we will take a look at how to setup the NSX gateway services, such as NAT and Firewall, on NSX gateway. Please refer to the previous blog post: <>; to understand how to deploy the NSX edge node and gateway.

First, let us take a look at how to setup NAT service on a NSX t0 gateway.

- On the NSX manager, go to the "Networking" tab:

- In the left hand pane, under "Network Services" click on "NAT":

- The NAT menu opens. In the "Gateway" drop-down, select the gateway where you would want to deploy the NAT rule. Then click on the "ADD NAT RULE":

- The NAT rule configuration window opens. NSX supports SNAT, DNAT and Reflexive NAT. Select the appropriate NATing for your use case from the "Action" drop down. For my use case, I will be using SNAT. Enter the source IP or source IP range in CIDR format. Enter the NAT destination IP. The SNAT rule will be applied to all traffic packets matching the source and destination IP defined here. Finally, enter the translated IP. You can also specify the translated and destination port, for further tuning of your NAT rule.

- Click on on "Set" under "Apply to" and select the interface, where you expect the packets matching the NATing rule to arrive:

- Click on the desired interface and click "Apply". After all the configuration are complete, scroll down and click on "Save":

- This completes our NAT Setup.

Let us now take a look at how we configure the gateway firewall for our t0 gateway.

- On the "NSX Manager" click on the "Security" tab:

- Under "Policy Management" click on "Gateway Firewall":

- The "Gateway Firewall" window opens. Click on the "Gateway Specific Rules" tab. Select the Gateway, where you would want to set the firewall rules, from the "Gateway" drop down:

- Click on "+ ADD POLICY". A new policy gets added:

- Click on the "New Policy" check box and click on "+ ADD RULE". "New Rule" gets created:

- You can now edit the "Source" , "Destination" and "Services" fields.

- On source and destination edit window, you will see some predefined groups. In addition, you can set your own groups or set IP addresses:

- In the "Set Services" window, you will find a comprehensive list of commonly used pre-defined services. This is quite impressive. In addition, you can define your own custom ports and services under "Raw Port-Protocols" :

- For this example, I selected the ICMP services group. From the action drop down, select the traffic action: Allow/Drop/Reject:

- After all the configurations are completed, click on publish at the top right corner:

- In this example, I have used the ICMP services to be rejected from any source to any destination:

- You can also select where you would want to apply the firewall rule using the "Applied To" parameter. The available options are the entire gateway or a particular interface:

As seen in the test below, this prevents pings from my home lab to the home internet router:

This concludes our NSX-T homelab setup blog post series. I will be setting up the NSX Platform appliance and NSX intelligence as well, a bit later in the future.... stay tuned!!

373 views0 comments
bottom of page