Add Network Dynamic NAT Rules

The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the external network. The default entries are:

  • 192.168.0.0/16 – Any-External
  • 172.16.0.0/12 – Any-External
  • 10.0.0.0/8 – Any-External

These three network addresses are the private networks reserved by the Internet Engineering Task Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private IP addresses other than these, you must add dynamic NAT rules for them. The Firebox applies the dynamic NAT rules in the sequence that the entries appear in the Dynamic NAT list. We recommend that you put the rules in a sequence that matches the volume of traffic the rules apply to.

By default, dynamic NAT rewrites the source IP address of packets to use the primary IP address of the interface from which the packet is sent. When you add a dynamic NAT rule, you can optionally specify a different source IP address to use for packets that match that rule.

The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface you specify in the To field. In Fireware v12.2 or higher, you can set a source IP address that is on the same subnet as the primary or secondary IP address of the loopback interface.

If you set the source IP address and specify an alias in the To field that includes more than one interface:

  • If the source IP address is on the same subnet as the primary or secondary IP address of an external interface included in the alias, the source IP address is used only for traffic that leaves that external interface.
  • If the source IP address is on the same subnet as the primary or secondary IP address of the loopback interface, the source IP address is used for traffic that leaves any external interface included in the alias.
  1. Select Network > NAT.
    The NAT settings page appears.

Screen shot of the NAT settings page

  1. In the Dynamic NAT section, click Add.
    The Dynamic NAT configuration page appears.

Sscreen shot of Dynamic NAT configuration dialog box

  1. In the From section, click the Member type drop-down list to select the type of address to use to specify the source of the outgoing packets: Host IP, Network IP, Host Range, or Alias.
  2. In the From section, below the Member type drop-down list, type the host IP address, network IP address, or host IP address range, or select an alias in the drop-down list.
    You must type a network address in slash notation.

For more information about built-in Firebox aliases, see About Aliases.

  1. In the To section, click the Member type drop-down list to select the type of address to use to specify the destination of the outgoing packets.
  2. In the To section, below the Member type drop-down list, type the host IP address, network IP address, or host IP address range, or select an alias in the drop-down list.
  3. Select the Set source IP check box if you want to specify a different source IP address to use for this rule. Type the source IP address to use in the adjacent text box.
  1. Select Network > NAT.
    The NAT Setup dialog box appears.

Screen shot of the NAT Setup dialog box

  1. On the Dynamic NAT tab, click Add.
    The Add Dynamic NAT dialog box appears.

Screen shot of the Add Dynamic NAT dialog box

  1. In the From drop-down list, select the source of the outgoing packets.

For example, use the trusted host alias to enable NAT from all of the trusted network.

For more information on built-in Firebox aliases, see About Aliases.

  1. In the To drop-down list, select the destination of the outgoing packets.
  2. To add a host or a network IP address, click .
    The Add Address dialog box appears.

Screen shot of the Add Address dialog box

  1. In the Choose Type drop-down list, select the address type.
  2. In the Value text box, type the IP address or range.
    You must type a network address in slash notation.
    When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow keys.
  3. Click OK.
  4. Select the Set source IP check box if you want to specify a different source IP address to use for this rule. Type the source IP address to use in the adjacent text box.

If you set the source IP address, the Firebox changes the source IP address for packets that match this rule to the source IP address you specify. The source IP address must be on the same subnet as the primary or secondary IP address of the interface you specified as the To location in the dynamic NAT rule. In Fireware v12.2 or higher, you can set a source IP address that is on the same subnet as the primary or secondary IP address of the loopback interface.

If you set the source IP address, and the To location in the network dynamic NAT rule specifies an alias, such as Any-External, that includes more than one interface, the source IP address is used only for traffic that leaves an interface that has an IP address on the same subnet as the source IP address.

For more information, see About Dynamic NAT Source IP Addresses.

Delete a Dynamic NAT Rule

You cannot change an existing dynamic NAT rule. If you want to change an existing rule, you must delete the rule and add a new one.

To delete a dynamic NAT rule:

  1. Select the rule to delete.
  2. Click Remove.
    A warning message appears.

Reorder Dynamic NAT Rules

To change the sequence of the dynamic NAT rules:

  1. Select the rule to change.
  2. Click Up or Down to move it in the list.

Related Topics

About Dynamic NAT