Static NAT allows the user to configure one-to-one NAT, where an inside IP address will match a public IP address. The configuration options are shown below. You must also define the filter policies to allow traffic back in for the static NAT configuration.
* Priority - the order the policy will be applied within all the defined policies. Lower priority policies are applied before higher priority polices.
* Direction – the direction, from the perspective of the virtual interface or service, that the translation will operate.
* Outbound – the destination address for a packet will be translated for packets received on the service. The source address will be translated for packets transmitted on the service.
For example, LAN service to Internet service – for packets outbound, (LAN to Internet) the source IP address is translated. For packets inbound or received (Internet to LAN) the destination IP address are translated.
* Inbound - the source address for a packet will be translated for packets received on the service. The destination address will be translated for packets transmitted on the service.
For example, Internet service to LAN service – For packets received on the Internet service, the source IP address is translated. For packets transmitted on the Internet service, the destination IP address is translated.
* Service Type – in reference to a SD-WAN service. For static NAT, these include Local (to the appliance), Intranet, and Internet.
* Service Name – specific service name that corresponds to the defined Service Type above.
* Inside Zone – one of the existing inside zones configured on the appliance.
* Inside IP address – source IP address and mask of the direction selected above.
* Outside IP address – the outside IP address and mask of packets that are translated to.
Connections can get originated in either inside -> outside (or) outside -> inside directions. When NAT rule is created, it gets applied for both directions. Depending on the NAT rule type (inbound/outbound), the parameters are considered for matching changes.
In the following configuration showin in below figure:
When connection is initiated from inside to outside, Packet has to match following conditions to get the NAT policy applied:
source service = Local and service name = LAN
source IP address = 192.168.10.9
source firewall zone = FIC (inside zone)
When connection is initiated from outside to inside, Packet has to match following conditions to get the NAT policy applied:
source firewall zone = Default_LAN_Zone (outside zone)
destination IP address = 10.28.115.81
The directions in NAT type are with respective to SD-WAN appliance.
If NAT has to be applied when connection is entering to the appliance then, it is Inbound NAT. In this case, Firewall filters are applied on translated/outside IP addresses.
If NAT has to be applied when connection is leaving the appliance then, it is Outbound NAT. In this case, Firewall filters are applied on actual IP addresses.
After NAT policy is applied destination service name must be LAN, else packet will be dropped.