Configure NAT loopback and static NAT

Fireware includes support for NAT loopback. NAT loopback allows a user on the trusted or optional networks to get access to a public server that is on the same physical Firebox interface by its public IP address or domain name. For NAT loopback connections, the Firebox changes the source IP address of the connection to the IP address of the internal Firebox interface (the primary IP address for the interface that the client and server both use to connect to the Firebox).

To understand how to configure NAT loopback when you use static NAT, we give this example:

Company ABC has an HTTP server on the Firebox trusted interface. The company uses a static NAT rule to map the public IP address to the internal server. The company wants to allow users on the trusted and optional networks to use the public IP address or domain name to get access to this public server.

For this example we assume:

• The trusted interface is configured with an IP address on the 10.0.1.0/24 network
• The trusted interface is also configured with a secondary IP address on the 192.168.2.0/24 network
• The HTTP server is physically connected to the 10.0.1.0/24 network. The Real Base address of the HTTP server is on the trusted network.

Add a policy for NAT loopback to the server

In this example, to allow users on your trusted and optional networks to use the public IP address or domain name to access a public server that is on the trusted network, you must add an HTTP policy that could look like this:

To create this policy:

1. Edit or create an HTTP policy.
2. In the From section, select the trusted and optional networks that you want to allow to do NAT loopback.
   For this example, we add Any-Trusted, and Any-Optional.
3. In the To section of the policy, add a static NAT entry with the public and private IP addresses of the server you want to allow users to get access to.
   For this example, we add the static NAT entry 100.100.100.5 --> 10.0.1.5.
   

Add a dynamic NAT entry for NAT loopback

1. From Policy Manager, select Network > NAT.
   The NAT Setup dialog box appears.
2. Click Add.
3. Add a mapping from the primary IP address of the trusted network to the public address of the HTTP server. For this example, we enter 10.0.1.0/24 - 100.100.100.5.
4. Add another mapping for the secondary address of the trusted network to the public address of the HTTP server. For this example, we enter 192.168.2.0/24 - 100.100.100.5.
5. Click OK.
   The NAT Setup dialog shows the new entries for NAT loopback.

6. Save the configuration to the Firebox.

For more information about how to configure static NAT, see About static NAT.

If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT loopback and 1-to-1 NAT.

Give us feedback  •   Get Support  •   All product documentation  •   FAQs

© 2009 WatchGuard Technologies. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.