User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500

171

172

173

174

175

176

177

178

179

180

User Guide 165

Traffic Management

About Network Address Translation (NAT)

Network Address Translation (NAT) is a term used to describe any of several forms of IP address and port

translation. At its most basic level, NAT changes the IP address of a packet from one value to a different value.

The primary purposes of NAT are to increase the number of computers that can operate off a single publicly

routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use NAT, the source

IP address is changed on all the packets you send.

You can apply NAT as a general firewall setting, or as a setting in a policy. Note that firewall NAT settings do

not apply to BOVPN or Mobile VPN policies.

Types of NAT

The Firebox supports three different forms of NAT. Your configuration can use more than one type of NAT at

the same time. You apply some types of NAT to all firewall traffic, and other types as a setting in a policy.

Dynamic NAT

Dynamic NAT is also known as IP masquerading. The Firebox can apply its public IP address to the

outgoing packets for all connections or for specified services. This hides the real IP address of the

computer that is the source of the packet from the external network. Dynamic NAT is generally used

to hide the IP addresses of internal hosts when they get access to public services. For more

information, see About dynamic NAT

Static NAT

Also known as port forwarding, you configure static NAT when you configure policies. Static NAT is a

port-to-host NAT. A host sends a packet from the external network to a port on an external interface.

Static NAT changes this IP address to an IP address and port behind the firewall. For more

information, see About static NAT

1-to-1 NAT

1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a different

network. This type of NAT is often used to give external computers access to your public, internal

servers. For more information, see About 1-to-1 NAT

NAT behavior

When you configure NAT:

 Each interface on the Firebox X Edge e-Series must use a different TCP subnet.

 You can have only one trusted network, one optional network, and one external network. You can use

a router to connect more subnets to these networks. For more information, see Connecting the Edge

to more than four devices.

 The Edge always uses Dynamic NAT for traffic that goes from the trusted or optional networks to the

external network.

 Dynamic NAT is not applied to BOVPN or Mobile VPN traffic.

Secondary IP addresses

You can assign eight public IP addresses to the primary external interface (WAN1). These addresses are used

for 1-to-1 NAT.

When you configure secondary IP addresses on the external network:

 The primary IP address must be a static IP address. The first IP address is the primary IP address.

 All secondary IP addresses must be on the same external subnet as the primary IP address.

 You cannot configure multiple IP addresses for the WAN2 interface. The WAN2 interface must be on a

different subnet than the WAN1 interface.