User guide
Chapter 7: Configuring Network Address Translation
86 WatchGuard Firebox System
Using Service-Based Dynamic NAT
Using service-based dynamic NAT, you can set outgoing dynamic NAT
policy on a service-by-service basis. Service-based NAT is most frequently
used to make exceptions to a globally applied simple dynamic NAT entry.
For example, use service-based NAT on a network with simple NAT
enabled from the Trusted to the Optional network with a Web server on
the Optional network that should not be masqueraded to the actual
Trusted network. Add a service icon allowing Web access from the
Trusted to the Optional Web server, and disable NAT. In this
configuration, all Web access from the Trusted network to the Web server
is made with the true source IP, and all other traffic from Trusted to
Optional is masqueraded.
You can also use service-based NAT instead of simple dynamic NAT.
Rather than applying NAT rules globally to all outgoing packets, you can
start from the premise that no masquerading takes place and then
selectively masquerade a few individual services.
Enabling service-based dynamic NAT
Service-based NAT is not dependent on enabling simple dynamic NAT.
From Policy Manager:
1 Select Setup => NAT. Click Advanced.
2 Select the checkbox marked Enable Service-Based NAT.
3 Click OK to close the Advanced NAT Settings dialog box. Click OK
to close the NAT Setup dialog box.
Configuring service-based dynamic NAT
By default, services take on whatever dynamic NAT properties you have
set for simple NAT. However, you can override this setting in the service’s
Properties dialog box. You have three options:
Use Default (Simple NAT)
Service-based NAT is not enabled for the service. The service uses
the simple dynamic NAT rules configured in the Dynamic NAT
Entries list, as explained in “Adding simple dynamic NAT
entries” on page 84.