NAT Rule Base

What can I do here?

In this Rule Base you can configure manual network address translation (NAT) Rules, and examine all NAT rules, both manual and automatic.

Available NAT Methods

Getting Here - Security Policies > Access Control > NAT

NAT

NAT can be defined automatically via the network object (Node, Network or Address Range). When you define NAT via the network object, rules are automatically added to the NAT Rule Base

You can manually specify NAT rules, by adding or editing NAT rules to the NAT Rule Base. You can specify the source, destination and service separately for the original and the translated packet.

Automatic NAT rules cannot be edited in the Rule Base.

NAT Rule Base Structure

The NAT Rule Base is divided into two sections. Each section in the NAT Rule Base Editor is divided into Source, Destination, and Service.

The Original Packet section specifies the conditions when the rule is applied.
The Translated Packet section specifies the action taken when the rule is applied.

The Rule Base action in NAT is always the same:

Translate Source under Original Packet, to Source under Translated Packet.
Translate Destination under Original Packet, to Destination under Translated Packet.
Translate Service under Original Packet, to Service under Translated Packet.

Rule Base Operations

Operations that can be performed on the NAT Rule Base include:

Add a network object to the cell.
Add (static) adds a statically translated network object to the cell.
Add (Hide) adds a Hide NAT translated network object to the cell.

NAT Rule Separator

In the Address Translation tab of SmartConsole you can now add a Section Title above manually added rules or above the first automatic rule. You can not add a Section Title between the automatic rules.

Translating IP Addresses

NAT (Network Address Translation) is a feature of the Firewall Software Blade and replaces IPv4 and IPv6 addresses to add more security. You can enable NAT for all SmartConsole objects to help manage network traffic. NAT protects the identity of a network and does not show internal IP addresses to the Internet. You can also use NAT to supply more IPv4 addresses for the network.

The Firewall can change both the source and destination IP addresses in a packet. For example, when an internal computer sends a packet to an external computer, the Firewall translates the source IP address to a new one. The packet comes back from the external computer; the Firewall translates the new IP address back to the original IP address. The packet from the external computer goes to the correct internal computer.

SmartConsole gives you the flexibility to make necessary configurations for your network:

Easily enable the Firewall to translate all traffic that goes to the internal network.
SmartConsole can automatically create Static and Hide NAT rules that translate the applicable traffic.
You can manually create NAT rules for different configurations and deployments.

How Security Gateways Translate Traffic

A Security Gateway can use these procedures to translate IP addresses in your network:

Static NAT - Each internal IP address is translated to a different public IP address. The Firewall can allow external traffic to access internal resources.
The configuration of static NAT on a range results in the translation of the IP addresses in the range into a range of the same size, starting with the IP address specified.
Hide NAT - The Firewall uses port numbers to translate all specified internal IP addresses to a single public IP address and hides the internal IP structure. Connections can only start from internal computers; external computers CANNOT access internal servers. The Firewall can translate up to 50,000 connections at the same time from external computers and servers.
Hide NAT with Port Translation - Use one IP address and let external users access multiple application servers in a hidden network. The Firewall uses the requested service (or destination port) to send the traffic to the correct server. A typical configuration can use these ports: FTP server (port 21), SMTP server (port 25) and an HTTP server (port 80). It is necessary to create manual NAT rules to use Port Translation.

Using Hide NAT

For each SmartConsole object, you can configure the IP address that is used to translate addresses for Hide NAT mode:

Use the IP address of the external Security Gateway interface
Enter an IP address for the object

Hide NAT uses dynamically assigned port numbers to identify the original IP addresses. There are two pools of port numbers: 600 to 1023, and 10,000 to 60,000. Port numbers are usually assigned from the second pool. The first pool is used for these services:

rlogin (destination port 512)
rshell (destination port 513)
rexec (destination port 514)

If the connection uses one of these services, and the source port number is below 1024, then a port number is assigned from the first pool.

You cannot use Hide NAT for these configurations:

Traffic that uses protocols where the port number cannot be changed
An external server that uses IP addresses to identify different computers and clients

Sample NAT Deployments

Static NAT

Firewalls that do Static NAT, translate each internal IP address to a different external IP address.

Static_NAT R80.10

Item	Description
3	External computers and servers in the Internet
2	Security Gateway - Firewall is configured with Static NAT
1	Internal computers

Sample Static NAT Workflow

An external computer in the Internet sends a packet to 192.0.2.5. The Firewall translates the IP address to 10.10.0.26 and sends the packet to internal computer A. Internal computer A sends back a packet to the external computer. The Firewall intercepts the packet and translates the source IP address to 192.0.2.5.

Internal computer B (10.10.0.37) sends a packet to an external computer. The Firewall intercepts the packet translates the source IP address to 192.0.2.16.

Internet sends packet to 192.0.2.5	Firewall translates this address to 10.10.0.26	Internal computer A receives packet

Internal computer A (10.10.0.26) sends packet to Internet	Firewall translates this address to 192.0.2.5	Internet receives packet from 192.0.2.5

Internal computer B (10.10.0.37) sends packet to Internet	Firewall translates this address to 192.0.2.16	Internet receives packet from 192.0.2.16

Hide NAT

Firewalls that do Hide NAT use different port numbers to translate internal IP address to one external IP address. External computers cannot start a connection to an internal computer.

Hide_NAT

Item	Description
1	Internal computers
2	Security Gateway - Firewall is configured with Hide NAT
3	External computers and servers in the Internet

Sample Hide NAT Workflow

Internal computer A (10.10.0.26) sends a packet to an external computer. The Firewall intercepts the packet and translates the source IP address to 192.0.2.1 port 11000. The external computer sends back a packet to 192.0.2.1 port 11000. The Firewall translates the packet to 10.10.0.26 and sends it to internal computer A.

Internal computer A (10.10.0.26) sends packet to Internet	Firewall translates this address to 192.0.2.1 port 11000	Internet receives packet from 192.0.2.1 port 11000

Internet sends back packet to 192.0.2.1 port 11000	Firewall translates this address to 10.10.0.26	Internal computer A receives packet