Static NAT (SNAT), also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your Firebox manages this kind of traffic. Static NATalso operates on connections from networks that your Firebox protects.
We recommend that you configure Static NATrather than 1-to-1 NAT, especially if you have a small number of public IP addresses.
You cannot configure static NATfor an optional interface in a Device Configuration Template. For more information about how to configure an SNATaction in a Device Configuration Template, go to Configure an SNAT Action.
When you use static NAT, connections to an internal server can be addressed to a Firebox interface IPaddress instead of to the actual IPaddress of the server. For example, you can put your SMTP email server behind your Firebox with a private IP address and configure static NAT in your SMTP policy. Your Firebox then receives connections on port 25 and sends any SMTP connections to the real address of the SMTP server behind the Firebox.
- In Fireware v12.2 or higher, you can specify an FQDN in a SNAT action in addition to an IPaddress.
- In Fireware v12.2.1 or higher, you can specify the primary or secondary IP address of the loopback interface in a static NAT action. You might do this if you have provider-independent public IP addresses, or have internal IP addresses not associated with a specific interface, so that you can still use these IP addresses for NAT.
By default, a static NAT rule does not change the source IP address for inbound traffic. When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when a connection that matches the parameters in your static NAT action is received by your Firebox, it changes the source IP address to the IP address that you specify. You can specify a different source IPaddress for each SNAT member.
You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.
For a demonstration of how to configure static NAT, see the Video Tutorial Getting Started with NAT.
Add a Static NATAction
In Fireware Web UI, you must define the static NAT action before you can use it in one or more policies.
To add a static NAT action, from Fireware Web UI:
- Select Firewall >SNAT.
The SNAT page appears. - Click Add.
The Add SNAT page appears.
- In the Name text box, type a name for this SNAT action.
- (Optional) In the Description text box, type a description for this SNAT action.
- Select Static NAT.
This is the default selection. - Click Add.
The Add Member dialog box appears.
- (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IPaddress or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.
For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.
In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IPaddress or alias of an external or optional interface, but you cannot select the IPaddress of a loopback interface.
- (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IPAddress or FQDN.
- If you selected Internal IP Address, in the Host text box, type an IPaddress.
- If you selected FQDN, in the Host text box, type a fully-qualified domain name.
- To specify the source IP address for this static NATaction, select the Set source IP check box. In the adjacent text box, type the source IP address.
- To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.
If you use anSNATaction in a policy that allows a connection type other than TCPor UDP, the internal port setting is not used for that connection.
- Click OK.
The static NAT route appears in the SNAT Members list. - To add another member to this action, click Add and repeat Steps 7–12.
- Click Save.
The new SNAT action appears in the SNAT page.
In Policy Manager, you can create a static NAT action and then add it to a policy, or you can create the static NAT action from within a policy configuration.
To add a static NAT action before you add it to a policy, from Policy Manager:
- Select Setup >Actions >SNAT.
The SNAT dialog box appears. - Click Add.
The Add SNAT dialog box appears.
- In the SNATName text box, type a name for this SNAT action.
- (Optional) In the Description text box, type a description for this SNAT action.
- Select Static NAT.
This is the default selection. - Click Add.
The Add Static NAT dialog box appears.
- (Fireware v12.2.1 or higher) From the IP Address or Interface drop-down list, select the IPaddress or alias of an external, optional, or loopback interface to use in this action. You can also select an IP address that belongs to a secondary network that is assigned to an external, optional, or loopback interface.
- To specify the source IP address for this static NATaction, select the Set source IP check box. In the adjacent text box, type the source IP address.
- (Fireware v12.2 or higher) From the Choose Type drop-down list, select Internal IPAddress or FQDN.
- If you selected Internal IP Address, in the Host text box, type an IPaddress.
- If you selected FQDN, in the Host text box, type a fully-qualified domain name.
- To enable port address translation (PAT), select the Set internal port to a different port check box. In the adjacent text box, type or select the port number.
For example, to use static NAT for packets addressed to only one external IP address, select that external IP address or alias. To use static NAT for packets addressed to any optional IP interface, select the Any-Optional alias.
In Fireware v12.2 or lower, this drop-down list is named External/Optional IP Address. You can select the IPaddress or alias of an external or optional interface, but you cannot select the IPaddress of a loopback interface.
If you use anSNATaction in a policy that allows connections other than TCPor UDP, the internal port setting is not used for that connection.
- Click OK.
The static NAT route appears in the SNAT Members list. - To add another member to this action, click Add and repeat Steps 7–12.
- Click OK.
The new SNAT action appears in the SNAT dialog box.
Add a Static NAT Action to a Policy
After you add a SNAT action, you can use the action in one or more policies.
To add a static NAT action to a policy, from Fireware Web UI:
- Select Firewall > Firewall Policies.
- Click the name of a policy to edit it.
- From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming connections.<![CDATA[]]> - In the To section, click Add.
The Add Member dialog box appears.
- From the Member Type drop-down list, select Static NAT.
A list of the configured Static NAT Actions appears. - Select the static NATaction to add to this policy. Click OK.
The static NAT route appears in the To section of the policy configuration. - Click Save.
To add a static NAT action to a policy, from Policy Manager:
- Double-click a policy to edit it.
- From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming connections. - In the To section, click Add.
The Add Address dialog box appears. - Click Add SNAT.
The SNATdialog box appears, with a list of the configured static NAT and Server Load Balancing actions.
- Select the configured SNATaction to add. Click OK.
Or, click Add to define a new static NAT action. Follow the steps in the Add a Static NATAction section to configure the static NATaction. - Click OK to close the SNAT dialog box.
The static NAT route appears in the Selected Members and Addresses list.
- Click OK to close the Add Address dialog box.
- Click OK to close the Policy Properties dialog box.
Edit or Remove a Static NATAction
To edit an SNATaction from the SNAT action list, from Fireware Web UI:
- Select Firewall >SNAT.
The SNAT page appears. - Select an SNATaction.
- Click Edit.
The Edit SNAT page appears. - Modify the SNAT action.
When you edit an SNATaction, any changes you make apply to all policies that use that SNAT action. - Click Save.
To edit an SNATaction from the SNATaction list, from Policy Manager:
- Select Setup >Actions >SNAT.
The SNAT dialog box appears. - Select an SNATaction.
- Click Edit.
The Edit SNAT page appears. - Modify the SNAT action.
When you edit an SNATaction, any changes you make apply to all policies that use that SNAT action. - Click OK.
In Policy Manager, you can also edit an SNAT action when you edit a policy.
To edit an SNATaction from a policy, from Policy Manager:
- Double-click a policy to edit it.
The Edit Policy Properties dialog box appears, with the Policy tab selected. - In the To section, select the SNAT action you want to edit.
- Click Edit.
The Edit SNATdialog box appears. - Modify the SNATaction.
When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT action. - Click OK.
You can remove any SNAT action that is not used by a policy.
To remove an SNATaction, from Fireware Web UI:
- Select Firewall >SNAT.
The SNAT page appears - Select an SNATaction.
- Click Remove.
A confirmation dialog box appears. - Click OK to confirm that you want to remove the SNAT action.
To remove an SNATaction, from Policy Manager:
- Select Setup >Actions >SNAT.
The SNAT dialog box appears. - Select an SNATaction.
- Click Remove.
A confirmation dialog box appears. - Click Yes to confirm that you want to remove the SNAT action.
- Click OK.
Change Static NATGlobal Settings
By default, the Firebox does not clear active connections when you modify a static NATaction. You can change the global SNATsetting so that the Firebox clears active connections that use an SNATaction you modify.
To change the global SNAT setting in Fireware Web UI or Policy Manager:
- Select Setup >Global Settings.
- Select System >Global Settings.
- Select the Networking tab.
- In the Traffic Flow section, select the When an SNATaction changes, clear active connections that use that SNAT action check box.
Related Topics
Configure Policy-Based Dynamic NAT
Configuration Example —Set Up a Public Web Server Behind a Firebox
Example Configuration Files — Set Up a Public Web Server Behind a Firebox
© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.