VMware Server NAT Configuration
Network Address Translation (NAT) is a mechanism whereby a number of different computers, typically on a private internal network, are represented by a single external IP address. When one of the clients on the private network communicates with a remote system it does so through a NAT device which modifies the data to make it appear that it has been sent from the shared NAT IP address. When the remote system responds, the NAT device directs the response to the original client that initiated the connection.
In physical network environments, NAT serves two primary purposes. Firstly, it helps to conserve the limited number of class A and B IPv4 IP addresses. An entire enterprise with many thousands of computer systems can operate on the internet using up only one unique IP address by assigning proviate Ip addresses to the internal clients and using NAT to have them all represented by a single external IP address. On the general belief that the less a potential intruder knows about an internal network the better, NAT also provides an additional level of security by hiding the internal IP addresses of computer systems behind the external IP address.
In the context of VMware Server, a NAT based virtual network allows an entire private network to be created within the VMware Server environment, all participants of which are represented by a single IP address, i.e that of the host computer.
How VMware Server based NAT Works
Both the NAT device and any virtual machines connected to the default NAT virtual network use the vmnet8 virtual network switch. Also attached to this virtual switch is the VMware Server DHCP server which can be used to assign dynamic IP addresses, gateway and DNS information to the virtual machines on the NAT based network.
When a virtual machine sends a packet, the NAT device changes the source address (that of the virtual machine) to the address of the host computer before transmitting it to its intended destination. When the recipient responds, the NAT device modifies the packet so that it is addressed to the IP address of the virtual machine which initiated the connection, and subsequently forwards it to that system on the virtual network.
Unless some form of port forwarding is configured on the NAT device (a topic which is discussed later in this chapter), it is not possible for an external client to initiate a network connection with a virtual machine running inside a VMware Server NAT based virtual network.
Configuring NAT on Windows VMware Hosts
The VMware Server NAT device may be configured on Windows hosts using the Manage Virtaul Networks tool, which is accessed by selecting Start -> All Programs -> VMware Server -> Manage Virtual Networks. Once loaded, clicking on the NAT tab displays the NAT configuration settings as illustrated in the following figure:
The NAT page of the VMware Manage Virtual Networks tool
Configuring NAT on Linux Hosts
Unfortunately, VMware Server on Linux lacks a user friendly equivalent of the Windows Manage Virtual Networks tool, instead requiring the manual editing of the /etc/vmware/vmnet8/nat/nat.conf file (keeping mind that the vmnet8 name will need to be changed if the settings are to be configured for a custom created virtual network).
The nat.conf file contains a number of different sections, each allowing a different aspect of the NAT device to be configured:
[host]
- ip - The IP address of the NAT device on the virtual network. By default this will be <xxx>.2 where the <xxx> is the subnet address assigned to the virtual network (for example, 172.16.86.2).
- netmask - The subnet mask to be used for the NAT device.
- configport - The port to be used for accessing information about the NAT device. By default this directive is commented out with a # character for security purposes.
- device - The VMnet virtual network switch to which the NAT device is attached.
- activeFTP - A value of 1 indicates that active FTP sessions (i.e connections initiated by remote FTP servers) are supported. A setting of 0 limits connections to passive sessions.
[udp]
- timeout - The amount of time, in seconds, to keep UDP mapping for the NAT device. This is essentially the amount of time for which the NAT device remembers which virtual machine initiated a specific UDP based connection with an external system. If the external system responds after the timeout period has elapsed, the NAT will no longer know to which virtual machine the data should be forwarded, and the UDP packet will be discarded.
[incomingtcp]
The [incomingtcp] section of the nat.conf file is used to configure TCP port forwarding. This essentially involves mapping an incoming TCP port on the host to the IP address and TCP port of a virtual machine. For example, to map data coming into TCP port 8080 on the host to port 80 on a virtual machine with an IP address of 172.16.86.128, the following directive would need to be entered into the [incomingtcp] section of the configuration file:
8080 = 172.16.86.128:80
As many TCP port forwarding directives as necessary may added to this section of the NAT configuration file.
[incomingudp]
The [incomingudp] section of the nat.conf file is used to configure UDP port forwarding. Similar to the [incomingtcp]] section, this essentially involves mapping an incoming UDP port on the host to the IP address and UDP port of a virtual machine. For example, to map data coming into UDP port 8081 on the host to port 8082 on a virtual machine with an IP address of 172.16.86.128, the following directive would need to be entered into the [incomingtcp] section of the configuration file:
8081 = 172.16.86.128:8082
As many port UDP forwarding directives as necessary may added to this section of the NAT configuration file.