Product Documentation

Dynamic NAT Configuration

Dynamic NAT is used when the user wants to forward traffic from a LAN segment to the Internet on an untrusted port. In this case, the user would configure the NAT in an outbound direction, as well as make sure the corresponding filter policies are defined to allow traffic back in. By default, once the dynamic NAT has been configured the system will add in three filter policies.

These policies will:

  • allow Any IPhost route, Any zone, Any source and destination.

  • allow match established rule, for reverse traffic of sessions initiated from the inside network.

  • drop all other traffic from the source zone to the destination zone (zone specific).

The following screenshot displays the configuration options for the dynamic NAT configuration.

localized image

Configuration Options

  • Priority – the order the policy will be applied within all the defined policies. Lower priority policies are applied before higher priority polices.

  • Direction – the direction from the virtual interface or service perspective the translation will operate.

  • Outbound – the destination address for a packet will be translated for packets received on the service. The source address will be translated for packets transmitted on the service.

    For example, LAN service to Internet service – for packets outbound, (LAN to Internet) the source IP address is translated. For packets inbound or received (Internet to LAN) the destination IP address are translated.

  • Inbound - the source address for a packet will be translated for packets received on the service. The destination address will be translated for packets transmitted on the service.

    For example, Internet service to LAN service – for packets received on the Internet service the source IP address is translated. For packets transmitted on the Internet service, the destination IP address is translated.

  • Type – the type of dynamic NAT to perform.

  • Port-Restricted- Port-Restricted NAT is what most consumer grade gateway routers use. Inbound connections are generally disallowed unless a port is specifically forwarded to an inside address. Outbound connections allow return traffic from the same remote IP and port (this is known as endpoint independent mapping). This requirement limits a Port-Restricted NAT firewall to 65535 simultaneous sessions, but facilitates an often used internet technology known as hole punching.

  • Symmetric – Symmetric NAT is sometimes known as enterprise NAT because it allows for a much larger NAT space and enhances security by making translations less predictable. Inbound connections are generally disallowed unless a port is specifically forwarded to an inside address. Outbound connections allow return traffic from the same remote IP and port. Connections from the same inside IP and port need to map to the same outside IP and port (this is known as endpoint dependent mapping). This mode explicitly prevents hole punching.

  • Service Type – in reference to a SD-WAN service. For static NAT these include Local (to the appliance), Intranet, Internet.

  • Service Name – the specific service name that corresponds to the defined Service Type above.

  • Inside Zone – select the inside zone for the packets that require NAT.

  • Inside IP address - define an IP host address or a subnet based on traffic that requires NAT. This should be an IP address that resides in the Inside Zone.

  • Allow Related – allow traffic related to the flow matching the rule. For example, ICMP redirection related to the specific flow that matched the policy, if there was some type of error related to the flow.

  • IPsec Passthrough – allow IPsec traffic to pass through unchanged.

  • GRE/PPTP Passthrough – allow GRE or IPsec to pass through unchanged.

  • Port Parity - allows parity for NAT connections.

Dynamic NAT Configuration

In this article