GatewayNatRule
The configuration for a given NAT Rule.
{
"id": "string",
"name": "string",
"description": "string",
"enabled": false,
"active": false,
"type": "string",
"applicationPortProfile": {
"name": "string",
"id": "string"
},
"externalAddresses": "string",
"internalAddresses": "string",
"dnatExternalPort": "string",
"logging": false,
"systemRule": false,
"snatDestinationAddresses": "string",
"firewallMatch": "string",
"priority": 0,
"version": {
"version": 0
},
"appliedTo": {
"name": "string",
"id": "string"
},
"policyBasedVpnMode": "string"
}The unique ID of the NAT Rule. This must be supplied when updating a given NAT Rule. On creation, an unique ID is generated for the NAT Rule. This ID is not a VCD URN.
User friendly name for the NAT Rule. Name must be provided.
description
This property is removed starting API version 38.1, please use active in its place.
A flag indicating whether the individual nat rule is active or not. The default is true.
Represents the type of NAT Rule. Below are valid values.
SNAT- This translates an internal IP to an external IP and is used for outbound traffic.DNAT- This translates the external IP to an internal IP and is used for inbound traffic.NO_SNAT- No internal IP translation takes place.NO_DNAT- No external IP translation takes place.REFLEXIVE- Also known as Stateless NAT. This translates an internal IP to an external IP and vice versa. The number of internal addresses should be exactly the same as that of external addresses.
The external addresses for the NAT Rule. This must be supplied as a single IP or Network CIDR. For a DNAT rule, this is the external facing IP Address for incoming traffic. For an SNAT rule, this is the external facing IP Address for outgoing traffic. If this is an Edge Gateway, and it is not using IP Spaces, these IPs are typically allocated on the Edge Gateway. If the Edge or Provider Gateway is using IP Spaces, the IPs are typically in the IP Space associated with the IP Space uplinks of the Provider Gateway. For a REFLEXIVE rule, these are the external facing IPs.
The internal addresses for the NAT Rule. This must be supplied as a single IP or Network CIDR. For a DNAT rule, this is the internal IP Address for incoming traffic. For an SNAT rule, this is the internal IP Address for outgoing traffic. For a REFLEXIVE rule, these are the internal IPs. These ips are typically the Private IPs that are allocated to workloads. Property must be set for rule types: REFLEXIVE, NO_SNAT, DNAT. If property is unset, the field means ANY network.
This represents the external port number or port range when doing DNAT port forwarding from external to internal. The default dnatExternalPort is "ANY" meaning traffic on any port for the given IPs selected will be translated.
A flag indicating whether logging for the individual nat rule is active or not. The default is false.
A flag indicating whether this NAT rule is managed by the system. This is not user editable
The destination addresses to match in the SNAT Rule. This must be supplied as a single IP or Network CIDR. Providing no value for this field results in match with ANY destination network. These IPs are typically the Private IPs that are allocated to destination workloads.
Determines how the firewall matches the address during NATing if firewall stage is not skipped. Below are valid values.
MATCH_INTERNAL_ADDRESSindicates the firewall will be applied to internal address of a NAT rule. For SNAT, the internal address is the original source address before NAT is done. For DNAT, the internal address is the translated destination address after NAT is done. For REFLEXIVE, to egress traffic, the internal address is the original source address before NAT is done; to ingress traffic, the internal address is the translated destination address after NAT is done.MATCH_EXTERNAL_ADDRESSindicates the firewall will be applied to external address of a NAT rule. For SNAT, the external address is the translated source address after NAT is done. For DNAT, the external address is the original destination address before NAT is done. For REFLEXIVE, to egress traffic, the external address is the translated internal address after NAT is done; to ingress traffic, the external address is the original destination address before NAT is done.BYPASSfirewall stage will be skipped.
If an address has multiple NAT rules, the rule with the highest priority is applied. A lower value means a higher precedence for this rule. On Edge Gateways, for API version below 38.0, this value defaults to 0. For Provider Gateways or API version 38.0 and above, this value defaults to 50.
This property describes the current version of the entity. To prevent clients from overwriting each other's changes, update operations must include the version which can be obtained by issuing a GET operation. If the version number on an update call is missing, the operation will be rejected. This is only needed on update calls.
Determines how the NAT rule is applied for Policy-Based VPN traffic. This field is supported only for DNAT and NO_DNAT action values, and is ignored for others. The default value is BYPASS. This field does not apply to route-based VPN traffic.
BYPASSIndicates the NAT rule is not applied to traffic decrypted from a policy-based tunnel.MATCHIndicates the NAT rule is applied to ONLY traffic decrypted from a policy-based tunnel.