User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500

171

172

173

174

175

176

177

178

179

180

Traffic Management

166 Firebox X Edge e-Series

About dynamic NAT

Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing

connection to the public IP address of the Firebox. Outside the Firebox, you see only the external interface IP

address of the Firebox on outgoing packets.

Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for

internal hosts that use the Internet, because it hides the IP addresses of hosts on your network. With dynamic

NAT, all connections must start from behind the Firebox. Malicious hosts cannot start connections to the

computers behind the Firebox when the Firebox is configured for dynamic NAT.

The Edge automatically uses dynamic NAT on all outgoing traffic. If you want outgoing traffic from a host on

the trusted or optional network to show an IP address that is different from the primary IP address on the

external network, you must use 1-to-1 NAT. For more information, see About 1-to-1 NAT

About static NAT

Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the external

network to a port on an external interface. Static NAT changes this IP address to an IP address and port behind

the firewall. If a software application uses more than one port and the ports are selected dynamically, you

must use 1-to-1 NAT or check whether a proxy on the Firebox will manage this kind of traffic.

When you use static NAT, you use an external IP address of your Firebox instead of the IP address of a public

server. You could do this because you choose to, or because your public server does not have a public IP

address. For example, you can put your SMTP email server behind the Firebox with a private IP address and

configure static NAT in your SMTP policy. The Firebox receives connections on port 25 and makes sure that

any SMTP traffic is sent to the real SMTP server behind the Firebox.

You configure static NAT with incoming firewall policies. For more information, see About using common

packet filter policies.

About 1-to-1 NAT

When you enable 1-to-1 NAT, the Firebox changes and routes all incoming and outgoing packets sent from

one range of addresses to a different range of addresses. A 1-to-1 NAT rule always has precedence over

dynamic NAT.

1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that must

be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You do not have to

change the IP address of your internal servers. When you have a group of similar servers (for example, a group

of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers.

To understand how to configure 1-to-1 NAT, we give this example:

Company ABC has a group of five privately addressed email servers behind the trusted interface of their

Firebox. These addresses are:

10.1.1.1

10.1.1.2

10.1.1.3

10.1.1.4

10.1.1.5