Configure Static NAT

Static NAT, also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your XTM device manages this kind of traffic. Static NAT also operates on traffic sent from networks that your XTM device protects.

You can configure static NAT for traffic sent to an external or optional XTM device interface. Static NAT for an optional interface is supported in Fireware XTM OS v11.8.1 and higher.

When you use static NAT, traffic to an internal server can be addressed to an XTM device interface IP address, instead of to the actual IP address of the server. For example, you can put your SMTP email server behind your XTM device with a private IP address and configure static NAT in your SMTP policy. Your XTM device then receives connections on port 25 and sends any SMTP traffic to the real address of the SMTP server behind the XTM device.

Add a Static NAT Action

Before you can configure a policy to use static NAT, you must define the static NAT action. After you add a static NAT action, you can use it in one or more policies.

When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when traffic that matches the parameters in your static NAT action is received by your XTM device, it changes the source IP address to the IP address that you specify. You can specify a different source IP address for each SNAT member.

You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.

To add a static NAT action:

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Click Add.
    The Add SNAT page appears.

Screen shot of the Add SNAT page

  1. In the Name text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. Select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box

  1. From the External/Optional IP Address drop-down list, select the IP address or alias of an external or optional interface to use in this action.

For example, to you use static NAT for packets addressed to only one external IP address, select that external IP address or alias. Or, to use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.

  1. To specify the source IP address for this static NAT action, select the Set source IP check box. In the adjacent text box, type the source IP address.
  2. In the Internal IP Address text box, type the destination on the trusted or optional network.
  3. To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.

If you use an SNAT action in a policy that allows traffic other than TCP or UDP, the internal port setting is not used for that traffic.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. To add another member to this action, click Add and repeat Steps 7–12.
  3. Click Save.
    The new SNAT action appears in the SNAT page.

Add a Static NAT Action to a Policy

After you create a static NAT action, you can add it to one or more policies.

  1. Select Firewall > Firewall Policies.
  2. Click the name of a policy to edit it.
  3. From the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming traffic.
  4. In the To section, click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box, with a static NAT member selected

  1. From the Member Type drop-down list, select Static NAT.
    A list of the configured Static NAT Actions appears.
  2. Select the static NAT action to add to this policy. Click OK.
    The static NAT route appears in the To section of the policy configuration.
  3. Click Save.

Edit or Remove a Static NAT Action

To edit an SNAT action:

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Select an SNAT action.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNAT action, any changes you make apply to all policies that use that SNAT action.
  5. Click Save.

To remove an SNAT action:

  1. Select Firewall > SNAT.
    The SNAT page appears.
  2. Select an SNAT action.
  3. Click Remove.
    You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
  4. Click OK to confirm that you want to remove the SNAT action.

Change Static NAT Global Settings

By default, the XTM device does not clear active connections when you modify a static NAT action. You can change the global SNAT setting so that the XTM device clears active connections that use an SNAT action you modify.

To change the global SNAT setting:

  1. Select System > Global Settings.
  2. Select the Networking tab.
  3. In the Traffic Flow section, select the When an SNAT action changes, clear active connections that use that SNAT action check box.
  4. Click Save.

See Also

Configure Policy-Based Dynamic NAT

Configuration Example — Public Web Server Behind an XTM Device

Example Configuration Files — Public Web Server Behind an XTM Device

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base