Saturday, January 19, 2013

vShield Edge Gateway "IP Masquerading" in vCD 5.1

vCloud Director 5.1 comes with some changes from 1.5, in the sense that IP masquerading setting was removed and there is no default rule on the firewall. Since at office I work on 1.5 and since there is a glitch in the way NAT is implemented, it took me a bit of troubleshooting to figure it out.

My problem was simple - pass traffic out of the organization from a VM to an external server at
This is done in 3 steps:
  • sub allocate the IP pool on the external network
  • configure NAT rules
  • configure firewall rules
First thing to do is sub-allocate external network IP pool. Go to vCD GUI, Edge Gateway, select the gateway, Properties menu - Sub Allocate IP Pools tab. Choose the external network and sub-allocate the Pool:

Second, configure NAT rules. Go to Edge Gateway, select the gateway, Edge Gateway services menu, NAT tab, Add SNAT. In the rule select the external interface - the one connecting to the external networks, fill in IP address or subnet of the source VMs and choose as destination IP one of the external IPs from the sub-allocated pool:

Third step is to configure the firewall rules (remember, no default rules in 5.1). Go to Firewall tab and add the rule. I have also added an incoming rule to make the Edge Gateway respond to ping.

Finish the configuration, go to your VM and test the connectivity. You may read about the changes in the following VMware KB.

However, if the test does not work, you can do a bit of troubleshooting: go to vSphere Client, open a console to Edge Gateway, enter admin/default credentials and use the following debug command:
debug packet display interface vNic_0 host_192.168.1.200

vNic_0 being the external interface and the destination host, you should see echo requests from to If, by any chance, you see the original IP address not being NAT-ed, then try a restart of the Edge Gateway. And please let me know if you see such behavior.

No comments: