Configure Static NAT (SNAT) (2024)

Table of Contents
Add a Static NATAction Add a Static NAT Action to a Policy Edit or Remove a Static NATAction Change Static NATGlobal Settings

Static NAT (SNAT), also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your Firebox manages this kind of traffic. Static NATalso operates on connections from networks that your Firebox protects.

We recommend that you configure Static NATrather than 1-to-1 NAT, especially if you have a small number of public IP addresses.

You can configure static NATfor connections to an external or optional Firebox interface. You cannot configure static NATfor connections to a trusted or custom interface. You cannot configure static NATfor BOVPN or mobile VPN connections.

You cannot configure static NATfor an optional interface in a Device Configuration Template. For more information about how to configure an SNATaction in a Device Configuration Template, go to Configure an SNAT Action.

When you use static NAT, connections to an internal server can be addressed to a Firebox interface IPaddress instead of to the actual IPaddress of the server. For example, you can put your SMTP email server behind your Firebox with a private IP address and configure static NAT in your SMTP policy. Your Firebox then receives connections on port 25 and sends any SMTP connections to the real address of the SMTP server behind the Firebox.

  • In Fireware v12.2 or higher, you can specify an FQDN in a SNAT action in addition to an IPaddress.
  • In Fireware v12.2.1 or higher, you can specify the primary or secondary IP address of the loopback interface in a static NAT action. You might do this if you have provider-independent public IP addresses, or have internal IP addresses not associated with a specific interface, so that you can still use these IP addresses for NAT.

By default, a static NAT rule does not change the source IP address for inbound traffic. When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when a connection that matches the parameters in your static NAT action is received by your Firebox, it changes the source IP address to the IP address that you specify. You can specify a different source IPaddress for each SNAT member.

You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.

For a demonstration of how to configure static NAT, see the Video Tutorial Getting Started with NAT.

Add a Static NATAction

In Fireware Web UI, you must define the static NAT action before you can use it in one or more policies.

To add a static NAT action, from Fireware Web UI:

  1. Select Firewall >SNAT.
    The SNAT page appears.
  2. Click Add.
    The Add SNAT page appears.

Configure Static NAT (SNAT) (2)

  1. In the Name text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. Select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Member dialog box appears.

Configure Static NAT (SNAT) (3)

  1. (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IPaddress or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.

For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.

See Also
Network address translation (NAT) and how it worksProblems with NAT and possible causesNAT with static port forwardingHow to Setup Port Forwarding & Bypass CGNAT

In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IPaddress or alias of an external or optional interface, but you cannot select the IPaddress of a loopback interface.

  1. (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IPAddress or FQDN.
    1. If you selected Internal IP Address, in the Host text box, type an IPaddress.
    2. If you selected FQDN, in the Host text box, type a fully-qualified domain name.
  2. To specify the source IP address for this static NATaction, select the Set source IP check box. In the adjacent text box, type the source IP address.
  3. To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.

If you use anSNATaction in a policy that allows a connection type other than TCPor UDP, the internal port setting is not used for that connection.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. To add another member to this action, click Add and repeat Steps 7–12.
  3. Click Save.
    The new SNAT action appears in the SNAT page.

In Policy Manager, you can create a static NAT action and then add it to a policy, or you can create the static NAT action from within a policy configuration.

To add a static NAT action before you add it to a policy, from Policy Manager:

  1. Select Setup >Actions >SNAT.
    The SNAT dialog box appears.
  2. Click Add.
    The Add SNAT dialog box appears.

Configure Static NAT (SNAT) (5)

  1. In the SNATName text box, type a name for this SNAT action.
  2. (Optional) In the Description text box, type a description for this SNAT action.
  3. Select Static NAT.
    This is the default selection.
  4. Click Add.
    The Add Static NAT dialog box appears.

Configure Static NAT (SNAT) (6)

  1. (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IPaddress or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.

    2. For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.

    In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IPaddress or alias of an external or optional interface, but you cannot select the IPaddress of a loopback interface.

  2. To specify the source IP address for this static NATaction, select the Set source IP check box. In the adjacent text box, type the source IP address.
  3. (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IPAddress or FQDN.
    1. If you selected Internal IP Address, in the Host text box, type an IPaddress.
    2. If you selected FQDN, in the Host text box, type a fully-qualified domain name.
  4. To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.

If you use anSNATaction in a policy that allows connections other than TCPor UDP, the internal port setting is not used for that connection.

  1. Click OK.
    The static NAT route appears in the SNAT Members list.
  2. To add another member to this action, click Add and repeat Steps 7–12.
  3. Click OK.
    The new SNAT action appears in the SNAT dialog box.

Add a Static NAT Action to a Policy

After you add a SNAT action, you can use the action in one or more policies.

To add a static NAT action to a policy, from Fireware Web UI:

  1. Select Firewall > Firewall Policies.
  2. Click the name of a policy to edit it.
  3. From the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming connections.<![CDATA[]]>
  4. In the To section, click Add.
    The Add Member dialog box appears.

Configure Static NAT (SNAT) (8)

  1. From the Member Type drop-down list, select Static NAT.
    A list of the configured Static NAT Actions appears.
  2. Select the static NATaction to add to this policy. Click OK.
    The static NAT route appears in the To section of the policy configuration.
  3. Click Save.
See Also
What Is NAT? What Are the NAT Types? - Huawei

To add a static NAT action to a policy, from Policy Manager:

  1. Double-click a policy to edit it.
  2. From the Connections are drop-down list, select Allowed.
    To use static NAT, the policy must allow incoming connections.
  3. In the To section, click Add.
    The Add Address dialog box appears.
  4. Click Add SNAT.
    The SNATdialog box appears, with a list of the configured static NAT and Server Load Balancing actions.

Configure Static NAT (SNAT) (10)

  1. Select the configured SNATaction to add. Click OK.
    Or, click Add to define a new static NAT action. Follow the steps in the Add a Static NATAction section to configure the static NATaction.
  2. Click OK to close the SNAT dialog box.
    The static NAT route appears in the Selected Members and Addresses list.

Configure Static NAT (SNAT) (11)

  1. Click OK to close the Add Address dialog box.
  2. Click OK to close the Policy Properties dialog box.

Edit or Remove a Static NATAction

You can edit an SNAT action from the SNAT action list.

To edit an SNATaction from the SNAT action list, from Fireware Web UI:

  1. Select Firewall >SNAT.
    The SNAT page appears.
  2. Select an SNATaction.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNATaction, any changes you make apply to all policies that use that SNAT action.
  5. Click Save.

To edit an SNATaction from the SNATaction list, from Policy Manager:

  1. Select Setup >Actions >SNAT.
    The SNAT dialog box appears.
  2. Select an SNATaction.
  3. Click Edit.
    The Edit SNAT page appears.
  4. Modify the SNAT action.
    When you edit an SNATaction, any changes you make apply to all policies that use that SNAT action.
  5. Click OK.

In Policy Manager, you can also edit an SNAT action when you edit a policy.

To edit an SNATaction from a policy, from Policy Manager:

  1. Double-click a policy to edit it.
    The Edit Policy Properties dialog box appears, with the Policy tab selected.
  2. In the To section, select the SNAT action you want to edit.
  3. Click Edit.
    The Edit SNATdialog box appears.
  4. Modify the SNATaction.
    When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT action.
  5. Click OK.

You can remove any SNAT action that is not used by a policy.

To remove an SNATaction, from Fireware Web UI:

  1. Select Firewall >SNAT.
    The SNAT page appears
  2. Select an SNATaction.
  3. Click Remove.
    A confirmation dialog box appears.
  4. Click OK to confirm that you want to remove the SNAT action.

To remove an SNATaction, from Policy Manager:

  1. Select Setup >Actions >SNAT.
    The SNAT dialog box appears.
  2. Select an SNATaction.
  3. Click Remove.
    A confirmation dialog box appears.
  4. Click Yes to confirm that you want to remove the SNAT action.
  5. Click OK.

Change Static NATGlobal Settings

By default, the Firebox does not clear active connections when you modify a static NATaction. You can change the global SNATsetting so that the Firebox clears active connections that use an SNATaction you modify.

To change the global SNAT setting in Fireware Web UI or Policy Manager:

  1. Select Setup >Global Settings.
  2. Select System >Global Settings.
  3. Select the Networking tab.
  4. In the Traffic Flow section, select the When an SNATaction changes, clear active connections that use that SNAT action check box.

Related Topics

Configure Policy-Based Dynamic NAT

Configuration Example —Set Up a Public Web Server Behind a Firebox

Example Configuration Files — Set Up a Public Web Server Behind a Firebox

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Configure Static NAT (SNAT) (2024)
Top Articles
What Is The Average Social Security Check? | Bankrate
Nearly half of American households have no retirement savings
Cpmc Mission Bernal Campus & Orthopedic Institute Photos
Walgreens Boots Alliance, Inc. (WBA) Stock Price, News, Quote & History - Yahoo Finance
Thor Majestic 23A Floor Plan
What Are Romance Scams and How to Avoid Them
Phcs Medishare Provider Portal
Alpha Kenny Buddy - Songs, Events and Music Stats | Viberate.com
Urinevlekken verwijderen: De meest effectieve methoden - Puurlv
My Vidant Chart
Boat Jumping Female Otezla Commercial Actress
Craigslist Chautauqua Ny
Vichatter Gifs
Rainfall Map Oklahoma
Walgreens San Pedro And Hildebrand
Accident On May River Road Today
Lowes Undermount Kitchen Sinks
Menards Eau Claire Weekly Ad
Sullivan County Image Mate
Ezel Detailing
Babbychula
Low Tide In Twilight Ch 52
48 Oz Equals How Many Quarts
Hannah Palmer Listal
Hesburgh Library Catalog
Amerisourcebergen Thoughtspot 2023
Select Truck Greensboro
A Christmas Horse - Alison Senxation
Mta Bus Forums
Isablove
5 Star Rated Nail Salons Near Me
Parent Management Training (PMT) Worksheet | HappierTHERAPY
24 slang words teens and Gen Zers are using in 2020, and what they really mean
Indiana Immediate Care.webpay.md
Solemn Behavior Antonym
Priscilla 2023 Showtimes Near Consolidated Theatres Ward With Titan Luxe
Mohave County Jobs Craigslist
Woodman's Carpentersville Gas Price
Mcgiftcardmall.con
Smith And Wesson Nra Instructor Discount
The Minneapolis Journal from Minneapolis, Minnesota
BCLJ July 19 2019 HTML Shawn Day Andrea Day Butler Pa Divorce
My Eschedule Greatpeople Me
Cvs Coit And Alpha
855-539-4712
tampa bay farm & garden - by owner "horses" - craigslist
Laura Houston Wbap
Diccionario De Los Sueños Misabueso
Competitive Comparison
King Fields Mortuary
Craigslist Charlestown Indiana
Latest Posts
U.S.: adults with retirement savings 2022, by age | Statista
Assessment Types: Diagnostic, Formative and Summative
Article information

Author: Stevie Stamm

Last Updated:

Views: 6284

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.