NAT Rules

The NAT Rule Base has two sections that specify how the IP addresses are translated:

• Original Packet
• Translated Packet

Each section in the NAT Rule Base is divided into cells that define the Source, Destination, and Service for the traffic.

Automatic and Manual NAT Rules

There are two types of NAT rules for network objects:

• Rules that SmartConsole automatically creates and adds to the NAT Rule Base
• Rules that you manually create and then add to the NAT Rule Base

When you create manual NAT rules, it can be necessary to create the translated NAT objects for the rule.

Using Automatic Rules

You can enable automatic NAT rules for these SmartConsole objects:

• Security Gateways
• Hosts
• Networks
• Address Ranges

SmartConsole creates two automatic rules for Static NAT, to translate the source and the destination of the packets.

For Hide NAT, one rule is created to translate the source of the packets.

For network and address range objects, SmartConsole creates a different rule to NOT translate intranet traffic. IP addresses for computers on the same object are not translated.

This table summarizes the NAT automatic rules:

Type of Traffic	Static NAT	Hide NAT
Internal to external	Rule translates source IP address	Rule translates source IP address
External to internal	Rule translates destination IP address	N/A (External connections are not allowed)
Intranet (for network and address range objects)	Rule does not translate IP address	Rule does not translate IP address

Order of NAT Rule Enforcement

The Firewall enforces the NAT Rule Base in a sequential manner. Automatic and manual rules are enforced differently. Automatic rules can use bidirectional NAT to let two rules be enforced for a connection.

• Manual rules - The first manual NAT rule that matches a connection is enforced. The Firewall does not enforce a different NAT rule that can be more applicable.
• Automatic rules - Two automatic NAT rules that match a connection, one rule for the Source and one for the Destination can be enforced. When a connection matches two automatic rules, those rules are enforced.

SmartConsole organizes the automatic NAT rules in this order:

1. Static NAT rules for Firewall, or host (computer or server) objects
2. Hide NAT rules for Firewall, or host objects
3. Static NAT rules for network or address range objects
4. Hide NAT rules for network or address range objects

Sample Automatic Rules

Here are some sample automatic rules.

Static NAT for a Network Object

1. Intranet connections in the HR network are not translated. The Firewall does not translate a connection between two computers that are part of the HR object.

   The Firewall does not apply rules 2 and 3 to traffic that matches rule 1.

2. Connections from IP addresses from the HR network to any IP address (usually external computers) are translated to the Static NAT IP address.
3. Connections from any IP address (usually external computers) to the HR are translated to the Static NAT IP address.

Hide NAT for Address Range

1. Intranet connections in the Sales address range are not translated. The Firewall does not translate a connection between two computers that use IP addresses that are included in the Sales object.

   The Firewall does not apply rule 2 to traffic that matches rule 1.

2. Connections from IP addresses from the Sales address range to any IP address (usually external computers) are translated to the Hide NAT IP address.

Configuring Static and Hide NAT

You can enable and configure NAT for SmartConsole objects.

Configuring Static NAT

When you enable Static NAT, each object is translated to a different IP address. SmartConsole can automatically create the NAT rules, or you can create them manually.

Configuring Hide NAT

Hide NAT uses different port numbers to identify the internal IP addresses. When you enable Hide NAT mode, the Firewall can translates the IP address to:

• The IP address of the external Security Gateway interface
• The IP address for the object

Note - You cannot use Hide NAT for these configurations:

• Traffic that uses protocols where the port number cannot be changed
• An external server that uses IP addresses to identify different computers and clients

Enabling Automatic NAT

SmartConsole can automatically create and configure the NAT rules for a network. Enable automatic NAT for every object, for which you are translating the IP address. Then configure the Access Control Rule Base to allow traffic to the applicable objects.

To enable automatic NAT:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the navigation tree, select NAT > Advanced.
3. Select Add automatic address translation rules to hide this Gateway behind another Gateway.
4. Select the Translation method: Hide or Static.
5. Configure the NAT IP address for the object.
   • Hide behind Gateway - Use the IP address of the Security Gateway
   • Hide behind IP address - Enter the IP address.
6. Click Install on Gateway and select All or the Security Gateway that translates the IP address.
7. Click OK.

After you enable and configure NAT on all applicable gateways, install the policy.

Automatic Hide NAT to External Networks

For large and complex networks, it can be impractical to configure the Hide NAT settings for all the internal IP addresses. An easy alternative is to enable a Firewall to automatically Hide NAT for all traffic with external networks. The Firewall translates all traffic that goes through an external interface to the valid IP address of that interface.

In this sample configuration, computers in internal networks open connections to external servers on the Internet. The source IP addresses of internal clients are translated to the IP address of an external interface.

Item	Description
1	Internal networks
2	Security Gateway - Firewall is configured with automatic Hide NAT.
2A and 2B	Two external interfaces 192.0.2.1 and 192.0.2.100.
1 -->3	External computers and servers on the Internet

Source IP addresses are translated to the applicable external interface IP address: 192.0.2.1 or 192.0.2.100.

Note - If a connection matches a regular NAT rule and a NAT-for-internal-networks rule, the regular NAT rule takes precedence.

To enable automatic Hide NAT:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the navigation tree, select NAT.
3. Select Hide internal networks behind the Gateway's external IP.
4. Click OK.
5. Install the policy.

Enabling Manual NAT

For some deployments, it is necessary to manually define the NAT rules. Create SmartConsole objects that use the valid (NATed) IP addresses. Create NAT rules to translate the original IP addresses of the objects to valid IP addresses. Then configure the Firewall Rule Base to allow traffic to the applicable translated objects with these valid IP addresses.

Note - For manual NAT rules, it is necessary to configure Proxy ARP entries to associate the translated IP address.

These are some situations that must use manual NAT rules:

• Rules that are restricted to specified destination IP addresses and to specified source IP addresses
• Translate both source and destination IP addresses in the same packet.
• Static NAT in only one direction
• Translate services (destination ports)
• Rules that only use specified services (ports)
• Translate IP addresses for dynamic objects

This procedure explains how to configure manual Static NAT for a web server. You can also configure manual Hide NAT for SmartConsole objects.

To enable manual Static NAT, follow this workflow:

1. Create a clone from the network object, for example, the Web server.
2. Add a NAT rule that maps the original object to the NATed one.
3. Add Access Control rules that allow traffic to the new NATed objects.

To create a clone network object:

1. In SmartConsole, right-click the object and select Clone.

   The General Properties window of the new object opens.

2. Enter the Name. We recommend that you name the object <name>_valid_address.
3. Enter the NATed IP address.
4. Click OK.

To add a NAT rule to the Rule Base:

1. In SmartConsole, go to Security Policies > Access Control > NAT.
2. Add a manual rule above the automatic NAT rules.
3. Configure the manual rule to translate the IP address. For example:
   • Original Source - WebServer
   • Translated Source - WebServer_valid_address

To add Access Control rules:

1. In SmartConsole, go to Security Policies > Access Control > Policy.
2. Add rules that allow traffic to the applicable NATed objects.

   These objects are the cloned objects that are called <name>_valid_address.

3. Install the policy.

Sample Deployment (Static and Hide NAT)

The goal for this sample deployment is to configure:

• Static NAT for the SMTP and the HTTP servers on the internal network. These servers can be accessed from the Internet using public addresses.
• Hide NAT for the users on the internal network that gives them Internet access. This network cannot be accessed from the Internet.

Item	Description
1	Internal computers (Alaska_LAN 2001:db8::/64)
2	Web server (Alaska.Web 2001:db8:0:10::5 translated to 2001:db8:0:a::5)
3	Mail server (Alaska.Mail 2001:db8:0:10::6 translated to 2001:db8:0:a::6)
4	Security Gateway (External interface 2001:db8:0:a::1)
5	External computers and servers in the Internet

To configure NAT for the network:

1. Enable automatic Static NAT for the web server.
   1. Double-click the Alaska.Web object and select NAT.
   2. Select Add Automatic Address Translation Rules.
   3. In Translation method, select Static.
   4. Select Hide behind IP Address and enter 2001:db8:0:a::5.
   5. Click OK.
2. Enable automatic Static NAT for the mail server.
   1. Double-click the Alaska.Mail object and select NAT.
   2. Select Add Automatic Address Translation Rules.
   3. In Translation method, select Static.
   4. Select Hide behind IP Address and enter 2001:db8:0:a::6.
   5. Click OK.
3. Enable automatic Hide NAT for the internal computers.
   1. Double-click the Alaska_LAN object and select NAT.
   2. Select Add Automatic Address Translation Rules.
   3. In Translation method, select Hide.
   4. Select Hide behind Gateway.
4. Click OK and then install the policy.

Sample Deployment (Manual Rules for Port Translation)

The goal for this sample configuration is to let external computers access a web and mail server in a DMZ network from one IP address. Configure Hide NAT for the DMZ network object and create manual NAT rules for the servers.

Item	Description
1	External computers and servers in the Internet
2	Security Gateway (Alaska_GW external interface 2001:db8:0:c::1)
3	DMZ network (Alaska_DMZ 2001:db8:a::/128)
4	Web server (Alaska_DMZ_Web 2001:db8:a::35:5 translated to 2001:db8:0:c::1)
5	Mail server (Alaska_DMZ_Mail 2001:db8:a::35:6 translated to 2001:db8:0:c::1)

To configure NAT for the DMZ servers:

1. Enable automatic Hide NAT for the DMZ network.
   1. Double-click the Alaska_DMZ object and select NAT.
   2. Select Add Automatic Address Translation Rules.
   3. In Translation method, select Hide.
   4. Select Hide behind Gateway.
   5. Click OK.
2. Create a manual NAT rule that translates HTTP traffic from the Security Gateway to the web server.
   1. In SmartConsole, go to Security Policies > Access Control > NAT.
   2. Add a rule below the automatic rules.
   3. Right-click the cell and select Add new items to configure these settings:
      • Original Destination - Alaska_GW
      • Original Service - HTTP
      • Translated Destination - Alaska_DMZ_Web
3. Create a manual NAT rule that translates SMTP traffic from the Security Gateway to the mail server.
   1. Add a rule below the automatic rules.
   2. Right-click the cell and select Add new items to configure these settings:
      • Original Destination - Alaska_GW
      • Original Service - SMTP
      • Translated Destination - Alaska_DMZ_Web
4. Create a rule in the Firewall Rule Base that allows traffic to the servers.
   1. In SmartConsole, go to Security Policies > Access Control > NAT.
   2. Add a rule to the Rule Base.
   3. Right-click the cell and select Add new items to configure these settings:
      • Destination - Alaska_DMZ
      • Service - HTTP, SMTP
      • Action - Allow
5. Install the policy.

NAT Rule Base for Manual Rules for Port Translation Sample Deployment