Print Download PDF Send Feedback

Previous

Next

NAT Rules

The NAT Rule Base has two sections that specify how the IP addresses are translated:

Each section in the NAT Rule Base is divided into cells that define the Source, Destination, and Service for the traffic.

Automatic and Manual NAT Rules

There are two types of NAT rules for network objects:

When you create manual NAT rules, it can be necessary to create the translated NAT objects for the rule.

Using Automatic Rules

You can enable automatic NAT rules for these SmartConsole objects:

SmartConsole creates two automatic rules for Static NAT, to translate the source and the destination of the packets.

For Hide NAT, one rule is created to translate the source of the packets.

For network and address range objects, SmartConsole creates a different rule to NOT translate intranet traffic. IP addresses for computers on the same object are not translated.

This table summarizes the NAT automatic rules:

Type of Traffic

Static NAT

Hide NAT

Internal to external

Rule translates source IP address

Rule translates source IP address

External to internal

Rule translates destination IP address

N/A (External connections are not allowed)

Intranet (for network and address range objects)

Rule does not translate IP address

Rule does not translate IP address

Order of NAT Rule Enforcement

The Firewall enforces the NAT Rule Base in a sequential manner. Automatic and manual rules are enforced differently. Automatic rules can use bidirectional NAT to let two rules be enforced for a connection.

SmartConsole organizes the automatic NAT rules in this order:

  1. Static NAT rules for Firewall, or host (computer or server) objects
  2. Hide NAT rules for Firewall, or host objects
  3. Static NAT rules for network or address range objects
  4. Hide NAT rules for network or address range objects

Sample Automatic Rules

Here are some sample automatic rules.

Static NAT for a Network Object
  1. Intranet connections in the HR network are not translated. The Firewall does not translate a connection between two computers that are part of the HR object.

    The Firewall does not apply rules 2 and 3 to traffic that matches rule 1.

  2. Connections from IP addresses from the HR network to any IP address (usually external computers) are translated to the Static NAT IP address.
  3. Connections from any IP address (usually external computers) to the HR are translated to the Static NAT IP address.
Hide NAT for Address Range
  1. Intranet connections in the Sales address range are not translated. The Firewall does not translate a connection between two computers that use IP addresses that are included in the Sales object.

    The Firewall does not apply rule 2 to traffic that matches rule 1.

  2. Connections from IP addresses from the Sales address range to any IP address (usually external computers) are translated to the Hide NAT IP address.

Configuring Static and Hide NAT

You can enable and configure NAT for SmartConsole objects.

Configuring Static NAT

When you enable Static NAT, each object is translated to a different IP address. SmartConsole can automatically create the NAT rules, or you can create them manually.

Configuring Hide NAT

Hide NAT uses different port numbers to identify the internal IP addresses. When you enable Hide NAT mode, the Firewall can translates the IP address to:

Note - You cannot use Hide NAT for these configurations:

Enabling Automatic NAT

SmartConsole can automatically create and configure the NAT rules for a network. Enable automatic NAT for every object, for which you are translating the IP address. Then configure the Access Control Rule Base to allow traffic to the applicable objects.

To enable automatic NAT:

  1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

    The General Properties window of the gateway opens.

  2. From the navigation tree, select NAT > Advanced.
  3. Select Add automatic address translation rules to hide this Gateway behind another Gateway.
  4. Select the Translation method: Hide or Static.
  5. Configure the NAT IP address for the object.
    • Hide behind Gateway - Use the IP address of the Security Gateway
    • Hide behind IP address - Enter the IP address.
  6. Click Install on Gateway and select All or the Security Gateway that translates the IP address.
  7. Click OK.

After you enable and configure NAT on all applicable gateways, install the policy.

Automatic Hide NAT to External Networks

For large and complex networks, it can be impractical to configure the Hide NAT settings for all the internal IP addresses. An easy alternative is to enable a Firewall to automatically Hide NAT for all traffic with external networks. The Firewall translates all traffic that goes through an external interface to the valid IP address of that interface.

In this sample configuration, computers in internal networks open connections to external servers on the Internet. The source IP addresses of internal clients are translated to the IP address of an external interface.

Automatic_Hide_NAT_to_External_Networks

Item

Description

1

Internal networks

2

Security Gateway - Firewall is configured with automatic Hide NAT.

2A and 2B

Two external interfaces 192.0.2.1 and 192.0.2.100.

1 -->3

External computers and servers on the Internet

Source IP addresses are translated to the applicable external interface IP address: 192.0.2.1 or 192.0.2.100.

Note - If a connection matches a regular NAT rule and a NAT-for-internal-networks rule, the regular NAT rule takes precedence.

To enable automatic Hide NAT:
  1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

    The General Properties window of the gateway opens.

  2. From the navigation tree, select NAT.
  3. Select Hide internal networks behind the Gateway's external IP.
  4. Click OK.
  5. Install the policy.

Enabling Manual NAT

For some deployments, it is necessary to manually define the NAT rules. Create SmartConsole objects that use the valid (NATed) IP addresses. Create NAT rules to translate the original IP addresses of the objects to valid IP addresses. Then configure the Firewall Rule Base to allow traffic to the applicable translated objects with these valid IP addresses.

Note - For manual NAT rules, it is necessary to configure Proxy ARP entries to associate the translated IP address.

These are some situations that must use manual NAT rules:

This procedure explains how to configure manual Static NAT for a web server. You can also configure manual Hide NAT for SmartConsole objects.

To enable manual Static NAT, follow this workflow:

  1. Create a clone from the network object, for example, the Web server.
  2. Add a NAT rule that maps the original object to the NATed one.
  3. Add Access Control rules that allow traffic to the new NATed objects.

To create a clone network object:

  1. In SmartConsole, right-click the object and select Clone.

    The General Properties window of the new object opens.

  2. Enter the Name. We recommend that you name the object <name>_valid_address.
  3. Enter the NATed IP address.
  4. Click OK.

To add a NAT rule to the Rule Base:

  1. In SmartConsole, go to Security Policies > Access Control > NAT.
  2. Add a manual rule above the automatic NAT rules.
  3. Configure the manual rule to translate the IP address. For example:
    • Original Source - WebServer
    • Translated Source - WebServer_valid_address

To add Access Control rules:

  1. In SmartConsole, go to Security Policies > Access Control > Policy.
  2. Add rules that allow traffic to the applicable NATed objects.

    These objects are the cloned objects that are called <name>_valid_address.

  3. Install the policy.

Sample Deployment (Static and Hide NAT)

The goal for this sample deployment is to configure:

Sample_Deployment_(Static_and_Hide_NAT)

Item

Description

1

Internal computers (Alaska_LAN 2001:db8::/64)

2

Web server (Alaska.Web 2001:db8:0:10::5 translated to 2001:db8:0:a::5)

3

Mail server (Alaska.Mail 2001:db8:0:10::6 translated to 2001:db8:0:a::6)

4

Security Gateway (External interface 2001:db8:0:a::1)

5

External computers and servers in the Internet

To configure NAT for the network:

  1. Enable automatic Static NAT for the web server.
    1. Double-click the Alaska.Web object and select NAT.
    2. Select Add Automatic Address Translation Rules.
    3. In Translation method, select Static.
    4. Select Hide behind IP Address and enter 2001:db8:0:a::5.
    5. Click OK.
  2. Enable automatic Static NAT for the mail server.
    1. Double-click the Alaska.Mail object and select NAT.
    2. Select Add Automatic Address Translation Rules.
    3. In Translation method, select Static.
    4. Select Hide behind IP Address and enter 2001:db8:0:a::6.
    5. Click OK.
  3. Enable automatic Hide NAT for the internal computers.
    1. Double-click the Alaska_LAN object and select NAT.
    2. Select Add Automatic Address Translation Rules.
    3. In Translation method, select Hide.
    4. Select Hide behind Gateway.
  4. Click OK and then install the policy.

Sample Deployment (Manual Rules for Port Translation)

The goal for this sample configuration is to let external computers access a web and mail server in a DMZ network from one IP address. Configure Hide NAT for the DMZ network object and create manual NAT rules for the servers.

Manual_NAT_Rules_for_Port_Translation

Item

Description

1

External computers and servers in the Internet

2

Security Gateway (Alaska_GW external interface 2001:db8:0:c::1)

3

DMZ network (Alaska_DMZ 2001:db8:a::/128)

4

Web server (Alaska_DMZ_Web 2001:db8:a::35:5 translated to 2001:db8:0:c::1)

5

Mail server (Alaska_DMZ_Mail 2001:db8:a::35:6 translated to 2001:db8:0:c::1)

To configure NAT for the DMZ servers:

  1. Enable automatic Hide NAT for the DMZ network.
    1. Double-click the Alaska_DMZ object and select NAT.
    2. Select Add Automatic Address Translation Rules.
    3. In Translation method, select Hide.
    4. Select Hide behind Gateway.
    5. Click OK.
  2. Create a manual NAT rule that translates HTTP traffic from the Security Gateway to the web server.
    1. In SmartConsole, go to Security Policies > Access Control > NAT.
    2. Add a rule below the automatic rules.
    3. Right-click the cell and select Add new items to configure these settings:
      • Original Destination - Alaska_GW
      • Original Service - HTTP
      • Translated Destination - Alaska_DMZ_Web
  3. Create a manual NAT rule that translates SMTP traffic from the Security Gateway to the mail server.
    1. Add a rule below the automatic rules.
    2. Right-click the cell and select Add new items to configure these settings:
      • Original Destination - Alaska_GW
      • Original Service - SMTP
      • Translated Destination - Alaska_DMZ_Web
  4. Create a rule in the Firewall Rule Base that allows traffic to the servers.
    1. In SmartConsole, go to Security Policies > Access Control > NAT.
    2. Add a rule to the Rule Base.
    3. Right-click the cell and select Add new items to configure these settings:
      • Destination - Alaska_DMZ
      • Service - HTTP, SMTP
      • Action - Allow
  5. Install the policy.

NAT Rule Base for Manual Rules for Port Translation Sample Deployment