About Network Address Translation (NAT)

Network Address Translation (NAT) is a term used to describe any of several forms of IP address and port translation. At its most basic level, NAT changes the IP address of a packet from one value to a different value.

The primary purposes of NAT are to increase the number of computers that can operate off a single publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use NAT, the source IP address is changed on all the packets you send.

You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do not apply to BOVPN policies.

You can configure server load balancing as part of an SNAT rule. The server load balancing feature is designed to help you increase the scalability and performance of a high-traffic network with multiple public servers protected by your Firebox. With server load balancing, you can have the Firebox control the number of sessions initiated to multiple servers for each firewall policy you configure. The Firebox controls the load based on the number of sessions in use on each server. The Firebox does not measure or compare the bandwidth that is used by each server.

For more information on server load balancing, see Configure Server Load Balancing.

Types of NAT 

The Firebox supports three different types of NAT. Your configuration can use more than one type of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a setting in a policy.

Dynamic NAT

Dynamic NAT is also known as IP masquerading. The Firebox can apply its public IP address to the outgoing packets for all connections or for specified services. This hides the real IP address of the computer that is the source of the packet from the external network. Dynamic NAT is generally used to hide the IP addresses of internal hosts when they get access to public services.

For more information, see About Dynamic NAT.

Static NAT 

Static NAT(SNAT)  is often used to give external computers access to your public, internal servers. You configure static NAT in an SNAT action and then use that action when you configure policies.

Static NAT is also known as port forwarding because it is a port-to-host NAT. A host sends a packet from the external network to a port on an external interface. Static NAT changes this IP address to an IP address and port behind the firewall.

For more information, see Configure Static NAT (SNAT).

1-to-1 NAT

1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a different network. 1:1 NAT is recommended only when you have many public IP addresses available, or your servers need to initialize connections with the same public IP address on which they receive traffic.

For more information, see About 1-to-1 NAT.

For an introduction to NAT, and demonstrations of how to configure each type of NAT, see the Video Tutorial Getting Started with NAT.

Port Forwarding