Configure Static NAT (SNAT)

Static NAT (SNAT), also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your Firebox manages this kind of traffic. Static NAT also operates on connections from networks that your Firebox protects.

We recommend that you configure Static NAT rather than 1-to-1 NAT, especially if you have a small number of public IP addresses.

You can configure static NAT for connections to an external or optional Firebox interface. You cannot configure static NAT for connections to a trusted or custom interface. You cannot configure static NAT for BOVPN or mobile VPN connections.

You cannot configure static NAT for an optional interface in a Device Configuration Template. For more information about how to configure an SNAT action in a Device Configuration Template, go to Configure an SNAT Action.

When you use static NAT, connections to an internal server can be addressed to a Firebox interface IP address instead of to the actual IP address of the server. For example, you can put your SMTP email server behind your Firebox with a private IP address and configure static NAT in your SMTP policy. Your Firebox then receives connections on port 25 and sends any SMTP connections to the real address of the SMTP server behind the Firebox.

  • In Fireware v12.2 or higher, you can specify an FQDN in a SNAT action in addition to an IP address.
  • In Fireware v12.2.1 or higher, you can specify the primary or secondary IP address of the loopback interface in a static NAT action. You might do this if you have provider-independent public IP addresses, or have internal IP addresses not associated with a specific interface, so that you can still use these IP addresses for NAT.

By default, a static NAT rule does not change the source IP address for inbound traffic. When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when a connection that matches the parameters in your static NAT action is received by your Firebox, it changes the source IP address to the IP address that you specify. You can specify a different source IP address for each SNAT member.

You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.

For a demonstration of how to configure static NAT, see the Video Tutorial Getting Started with NAT.

Add a Static NAT Action

In Fireware Web UI, you must define the static NAT action before you can use it in one or more policies.

  1. Select Firewall > SNAT.
     The SNAT page appears.
  2. Click Add.
    The Add SNAT page appears.

Screen shot of the Add SNAT page

  1. In the Name text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. Select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Member dialog box appears.

Screen shot of the Static NAT Add Member dialog box

  1. (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IP address or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.

For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.

In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IP address or alias of an external or optional interface, but you cannot select the IP address of a loopback interface.

  1. (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IP Address or FQDN.
    1. If you selected Internal IP Address, in the Host text box, type an IP address.
    2. If you selected FQDN, in the Host text box, type a fully-qualified domain name.
  2. To specify the source IP address for this static NAT action, select the Set source IP check box. In the adjacent text box, type the source IP address.
  3. To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.

If you use an SNAT action in a policy that allows a connection type other than TCP or UDP, the internal port setting is not used for that connection.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. To add another member to this action, click Add and repeat Steps 7–12.
  3. Click Save.
    The new SNAT action appears in the SNAT page.

In Policy Manager, you can create a static NAT action and then add it to a policy, or you can create the static NAT action from within a policy configuration.

  1. Select Setup > Actions > SNAT.
     The SNAT dialog box appears.
  2. Click Add.
    The Add SNAT dialog box appears.

Screen shot of the Add SNAT dialog box

  1. In the SNAT Name text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. Select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Static NAT dialog box appears.

Screen shot of the Add Static NAT dialog box

  1. (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IP address or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.

    2. For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.

    In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IP address or alias of an external or optional interface, but you cannot select the IP address of a loopback interface.

  2. To specify the source IP address for this static NAT action, select the Set source IP check box. In the adjacent text box, type the source IP address.
  3. (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IP Address or FQDN.
    1. If you selected Internal IP Address, in the Host text box, type an IP address.
    2. If you selected FQDN, in the Host text box, type a fully-qualified domain name.
  4. To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.

If you use an SNAT action in a policy that allows connections other than TCP or UDP, the internal port setting is not used for that connection.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. To add another member to this action, click Add and repeat Steps 7–12.
  3. Click OK.
    The new SNAT action appears in the SNAT dialog box.

Add a Static NAT Action to a Policy

After you add a SNAT action, you can use the action in one or more policies.

  1. Select Firewall > Firewall Policies.
  2. Click the name of a policy to edit it.
  3. From the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming connections.
  4. In the To section, click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box, with a static NAT member selected

  1. From the Member Type drop-down list, select Static NAT.
    A list of the configured Static NAT Actions appears.
  2. Select the static NAT action to add to this policy. Click OK.
    The static NAT route appears in the To section of the policy configuration.
  3. Click Save.
  1. Double-click a policy to edit it.
  2. From the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming connections.
  3. In the To section, click Add.
    The Add Address dialog box appears.
  4. Click Add SNAT.
    The SNAT dialog box appears, with a list of the configured static NAT and Server Load Balancing actions.

Screen shot of the SNAT dialog box with an SNAT action selected

  1. Select the configured SNAT action to add. Click OK.
    Or, click Add to define a new static NAT action. Follow the steps in the Add a Static NAT Action section to configure the static NAT action.
  2. Click OK to close the SNAT dialog box.
    The static NAT route appears in the Selected Members and Addresses list.

Screen shot of the Add Address dialog box, with a static NAT action added

  1. Click OK to close the Add Address dialog box.
  2. Click OK to close the Policy Properties dialog box.

Edit or Remove a Static NAT Action

You can edit an SNAT action from the SNAT action list.

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Select an SNAT action.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNAT action, any changes you make apply to all policies that use that SNAT action.
  5. Click Save.
  1. Select Setup > Actions > SNAT.
    The SNAT dialog box appears.
  2. Select an SNAT action.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNAT action, any changes you make apply to all policies that use that SNAT action.
  5. Click OK.

In Policy Manager, you can also edit an SNAT action when you edit a policy.

  1. Double-click a policy to edit it.
    The Edit Policy Properties dialog box appears, with the Policy tab selected.
  2. In the To section, select the SNAT action you want to edit.
  3. Click Edit.
    The Edit SNAT dialog box appears.
  4. Modify the SNAT action.
    When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT action.
  5. Click OK.

You can remove any SNAT action that is not used by a policy.

  1. Select Firewall > SNAT.
    The SNAT page appears
  2. Select an SNAT action.
  3. Click Remove.
    A confirmation dialog box appears.
  4. Click OK to confirm that you want to remove the SNAT action.
  1. Select Setup > Actions > SNAT.
    The SNAT dialog box appears.
  2. Select an SNAT action.
  3. Click Remove.
    A confirmation dialog box appears.
  4. Click Yes to confirm that you want to remove the SNAT action.
  5. Click OK.

Change Static NAT Global Settings

By default, the Firebox does not clear active connections when you modify a static NAT action. You can change the global SNAT setting so that the Firebox clears active connections that use an SNAT action you modify.

To change the global SNAT setting in Fireware Web UI or Policy Manager:

  1. Select Setup > Global Settings.
  2. Select System > Global Settings.
  3. Select the Networking tab.
  4. In the Traffic Flow section, select the When an SNAT action changes, clear active connections that use that SNAT action check box.

Related Topics

Configure Policy-Based Dynamic NAT

Configuration Example — Set Up a Public Web Server Behind a Firebox

Example Configuration Files — Set Up a Public Web Server Behind a Firebox

Port Forwarding