Configure Static NAT

Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the external network to a port on an external interface. Static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your XTM device manages this kind of traffic. Static NAT also operates on traffic sent from networks that your XTM device protects.

When you use static NAT, you use an external IP address from your XTM device instead of the IP address from a public server. You could do this because you choose to, or because your public server does not have a public IP address. For example, you can put your SMTP email server behind your XTM device with a private IP address and configure static NAT in your SMTP policy. Your XTM device receives connections on port 25 and makes sure that any SMTP traffic is sent to the real SMTP server behind the XTM device.

Add a Static NAT Action

Before you can configure a policy to use static NAT, you must define the static NAT action. After you add a static NAT action, you can use it in one or more policies.

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Click Add.
    The Add SNAT page appears.

Screen shot of the Add SNAT page

  1. In the Name text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. To specify a static NAT action, select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box

  1. From the External IP address drop-down list, select the external IP address or alias you want to use in this action.

For example, you can use static NAT for packets received on only one external IP address. Or, you can use static NAT for packets received on any external IP address if you select the Any-External alias.

  1. In the Internal IP Address text box, type the destination on the trusted or optional network.
  2. (Optional) Select the Set internal port to a different port check box. This enables port address translation (PAT).

This feature enables you to change the packet destination not only to a specified internal host but also to a different port. If you select this check box, type or select the port number to use.

If you use static NAT in a policy that allows traffic that does not have ports (traffic other than TCP or UDP), the internal port setting is not used for that traffic.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. Click Save.
    The new SNAT action appears in the SNAT page.

Add a Static NAT Action to a Policy

After you create a static NAT action, you can add it to one or more policies.

  1. Select Firewall > Firewall Policies.
  2. Double-click a policy to edit it.
  3. In the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming traffic.
  4. In the To section, click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box, with a static NAT member selected

  1. From the Member Type drop-down list, select Static NAT.
    A list of the configured Static NAT Actions appears.
  2. Select the Static NAT action to add to this policy. Click OK.
    The static NAT route appears in the To section of the policy configuration.
  3. Click Save.

Edit or Remove a Static NAT Action

To edit an SNAT action:

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Select an SNAT action.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNAT action, any changes you make apply to all policies that use that SNAT action.
  5. Click Save.

To remove an SNAT action:

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Select an SNAT action.
  3. Click Remove.
    You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
  4. Click Yes to confirm that you want to remove the SNAT action.

See Also

Configure Policy-Based Dynamic NAT

e-LearningPublic Web Server Behind an XTM Device

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.