Static NAT, also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your XTM device manages this kind of traffic. Static NAT also operates on traffic sent from networks that your XTM device protects.
You can configure static NAT for traffic sent to an external or optional XTM device interface. Static NAT for an optional interface is supported in Fireware XTM OS v11.8.1 and higher.
When you use static NAT, traffic to an internal server can be addressed to an XTM device interface IP address, instead of to the actual IP address of the server. For example, you can put your SMTP email server behind your XTM device with a private IP address and configure static NAT in your SMTP policy. Your XTM device then receives connections on port 25 and sends any SMTP traffic to the real address of the SMTP server behind the XTM device.
Before you can configure a policy to use static NAT, you must define the static NAT action. After you add a static NAT action, you can use it in one or more policies.
When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when traffic that matches the parameters in your static NAT action is received by your XTM device, it changes the source IP address to the IP address that you specify. You can specify a different source IP address for each SNAT member.
You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.
To add a static NAT action:
For example, to you use static NAT for packets addressed to only one external IP address, select that external IP address or alias. Or, to use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.
If you use an SNAT action in a policy that allows traffic other than TCP or UDP, the internal port setting is not used for that traffic.
After you create a static NAT action, you can add it to one or more policies.
To edit an SNAT action:
To remove an SNAT action:
By default, the XTM device does not clear active connections when you modify a static NAT action. You can change the global SNAT setting so that the XTM device clears active connections that use an SNAT action you modify.
To change the global SNAT setting:
Configure Policy-Based Dynamic NAT
Configuration Example — Public Web Server Behind an XTM Device
Example Configuration Files — Public Web Server Behind an XTM Device