Creating NAT Policies

For general information on NAT Policies, see Network > NAT Policies .

NAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address, and Destination Services. Policy-based NAT allows you to deploy different types of NAT simultaneously. This section contains the following subsections:
Creating a Many-to-One NAT Policy
Creating a Many-to-Many NAT Policy
Creating a One-to-One NAT Policy for Outbound Traffic
Creating a One-to-One NAT Policy for Inbound Traffic (Reflective)
Configuring One-to-Many NAT Load Balancing
Inbound Port Address Translation via One-to-One NAT Policy
Inbound Port Address Translation via WAN IP Address

For this section, the examples use the following IP addresses as examples to demonstrate the NAT policy creation and activation. You can use these examples to create NAT policies for your network, substituting your IP addresses for the examples shown here:
192.168.10.0/24 IP subnet on interface X0
67.115.118.64/27 IP subnet on interface X1
192.168.30.0/24 IP subnet on interface X2
X0 IP address is 192.168.10.1
X1 IP address is 67.115.118.68
X2 “Sales” IP address is 192.168.30.1
Web server’s “private” address at 192.168.30.200
Web server’s “public” address at 67.115.118.70
Public IP range addresses of 67.115.118.71 – 67.115.118.74

Creating a Many-to-One NAT Policy

Many-to-One is the most common NAT policy on a Dell SonicWALL Security Appliance, and allows you to translate a group of addresses into a single address. Most of the time, this means that you’re taking an internal “private” IP subnet and translating all outgoing requests into the IP address of the WAN interface of the firewall (by default, the X1 interface), such that the destination sees the request as coming from the IP address of the firewall’s WAN interface, and not from the internal private IP address.

This policy is easy to set up and activate by following these steps:
1
Go to the Network > NAT Policies page.

2
Click on the Add button. The Add NAT Policy window is displayed for adding the policy.

3
To create a NAT policy to allow all systems on the X2 interface to initiate traffic using the firewall’s WAN IP address, choose the following options:
 

Table 37. Option choices: Many-to-one NAT policy example

Option

Value

Original Source

X2 Subnet

Translated Source

WAN Primary IP

Original Destination

Any

Translated Destination

Original

Original Service

Any

Translated Service

Original

Inbound Interface

X2

Outbound Interface

X1

Comment

Enter a short description

Enable NAT Policy

Checked

Create a reflective policy

Cleared
4
Click on the Add button to add and activate the NAT Policy. The new policy is added to the NAT Policies table, and the status at the bottom of the browser window reads The configuration has been added.
5
Click the Close button to close the Add NAT Policy window.
* 
NOTE: This policy can be duplicated for subnets behind the other interfaces of the firewall — just replace the Original Source with the subnet behind that interface, adjust the source interface, and add another NAT policy.

Creating a Many-to-Many NAT Policy

The Many-to-Many NAT policy allows you to translate a group of addresses into a group of different addresses. This allows the firewall to utilize several addresses to perform the dynamic translation. If a Many-to-Many NAT Policy contains source original and source translated with same network prefix, the remaining part of the IP address will be unchanged.

This policy is easy to set up and activate by following these steps:
1
Go to the Network > Address Objects page.

2
Click on the Add… button at the bottom of the page. The Add Address Object window displays.

3
Enter a description for the range in the Name field.
4
Select WAN as the zone from the Zone Assignment drop-down menu.
5
Choose Range from the Type drop-down menu. The Add Address Object window changes.

6
Enter the range of addresses (usually public IP addresses supplied by your ISP) in the Starting IP Address and Ending IP Address fields,
7
Click on the Add button to create the range object. The new address object is added to the Address Objects table, and the status at the bottom of the browser screen reads The configuration has been added.
8
Click Close to close the Add Address Object window.
9
Navigate to the Network > NAT Policies page.

10
Click the Add button at the bottom of the Nat Policies table. The Add NAT Policy window is displayed.

11
To create a NAT policy to allow the systems on the LAN interface (by default, the X0 interface) to initiate traffic using the public range addresses, choose the following options:
 

Table 38. Option choices: Many-to-many NAT policy example

Option

Value

Original Source

LAN Primary Subnet

Translated Source

public_range

Original Destination

Any

Translated Destination

Original

Original Service

Any

Translated Service

Original

Inbound Interface

X0

Outbound Interface

X1

Comment

Enter a short description

Enable NAT Policy

Checked

Create a reflective policy

Cleared
12
Click on the Add button to add and activate the NAT Policy. The new policy is added to the NAT Policies table, and the status at the bottom of the browser window reads The configuration has been added.
13
Click on the Close button to close the Add NAT Policy window.

With this policy in place, the firewall dynamically maps outgoing traffic using the four available IP addresses in the range we created.

You can test the dynamic mapping by installing several systems on the LAN interface (by default, the X0 interface) at a spread-out range of addresses (for example, 192.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public Website http://www.whatismyip.com from each system. Each system should display a different IP address from the range we created and attached to the NAT policy.

* 
NOTE: If a Many-to-Many NAT Policy contains source original and source translated with same network prefix, the remaining part of IP address will be unchanged.

Creating a One-to-One NAT Policy for Outbound Traffic

One-to-One NAT for outbound traffic is another common NAT policy on a firewall for translating an internal IP address into a unique IP address. This is useful when you need specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this One-to-One NAT policy for outbound traffic is used to map a server’s private IP address to a public IP address, and it is paired with a reflective (mirror) policy that allows any system from the public Internet to access the server, along with a matching firewall access rule that permits this. Reflective NAT policies are covered in the next section.

This policy is easy to set up and activate by following these steps:
1
Go to Network > Address Objects.

2
Click on the Add… button at the bottom of the page. The Add Address Object window displays.

3
Enter a friendly description for server’s private IP address in the Name field.
4
Select the zone that the server assigned from the Zone Assignment menu.
5
Choose Host from the Type menu.
6
Enter the server’s private IP address in the IP Address field.
7
Click Add. The new address object is added to the Address Objects table, and the status at the bottom of the browser screen reads The configuration has been added.
8
Then, create another object in the Add Address Object window for the server’s public IP address and with the correct values, and select WAN from Zone Assignment menu.
9
Click on the Add button to create the address object. The new address object is added to the Address Objects table, and the status at the bottom of the browser screen reads The configuration has been added.
10
Click Close to close the Add Address Object window.
11
Navigate to the Network > NAT Policies page.

12
Click the Add button at the bottom of the Nat Policies table. The Add NAT Policy window is displayed.

13
To create a NAT policy to allow the Web server to initiate traffic to the public Internet using its mapped public IP address, choose the following options:
 

Table 39. Option choices: One-to-one NAT policy for outbound traffic example

Option

Value

Original Source

webserver_private_ip

Translated Source

webserver_public_ip

Original Destination

Any

Translated Destination

Original

Original Service

Any

Translated Service

Original

Inbound Interface

X2

Outbound Interface

X1

Comment

Enter a short description

Enable NAT Policy

Checked

Create a reflective policy

Checked
14
When done, click on the Add button to add and activate the NAT Policy.
15
Click on the Close button to close the Add NAT Policy window.

With this policy in place, the firewall translates the server’s private IP address to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

You can test the One-to-One mapping by opening up a Web browser on the server and accessing the public Website http://www.whatismyip.com. The Website should display the public IP address you attached to the private IP address in the NAT policy you just created.

Creating a One-to-One NAT Policy for Inbound Traffic (Reflective)

This is the mirror policy for the one created in the previous section when you check Create a reflective policy. It allows you to translate an external public IP addresses into an internal private IP address. This NAT policy, when paired with a “permit” access policy, allows any source to connect to the internal server using the public IP address; the firewall handles the translation between the private and public address. With this policy in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive via the WAN interface (by default, the X1 interface).

Below, you create the entry as well as the rule to allow HTTP access to the server. You need to create the access policy that allows anyone to make HTTP connections to the Web server via the Web server’s public IP address.

* 
NOTE: With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS. If you write a rule to the private IP address, the rule does not work.
To create a One-to-One NAT Policy for Inbound Traffic (Reflective)
1
Go to the Firewall > Access Rules page.

2
Choose the policy for whatever zone you put your server in by clicking its checkbox.
3
Click the Add… button to display the Add Rule window.

4
Enter in the following values:
 

Table 40. Option choices: One-to-one NAT policy for inbound traffic example

Option

Value

Action

Allow

From

Select a zone or interface

To

Select a zone or interface

Source Port

Select a port; the default is Any

NOTE: If Source Port is configured, the Access Rule will filter the traffic based on the source port defined in the selected Service Object/Group. The Service Object/Group selected must have the same protocol types as the ones selected in Service

Service

HTTP

Source

Any

Destination

Webserver_public_ip

Users Included

All (default)

Users Excluded

None (default)

Schedule

Always on (default)

Comment

Enter a short description

Enable logging

Selected

Allow Fragmented Packets

Selected

All other options

Unselected

5
Click Add. The rule is added.
6
Click Close to close the Add Rule window.

When you are done, attempt to access the Web server’s public IP address using a system located on the public Internet. You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.

Configuring One-to-Many NAT Load Balancing

One-to-Many NAT policies can be used to persistently load balance the translated destination using the original source IP address as the key to persistence. For example, firewalls can load balance multiple SRA appliances, while still maintaining session persistence by always balancing clients to the correct destination SRA.

To configure One-to-Many NAT load balancing:
1
Go to the Firewall > Access Rules page.

2
Select the policy for WAN to LAN.
3
Click on the Add… button to display the Add Rule window.

4
Enter in the following values:
 

Table 41. Option choices: One-to-many NAT load balancing rule example

Option

Value

Action

Allow

From

Select a zone or interface

To

Select a zone or interface

Source Port

Select a port; the default is Any

NOTE: If Source Port is configured, the Access Rule will filter the traffic based on the source port defined in the selected Service Object/Group. The Service Object/Group selected must have the same protocol types as the ones selected in Service.

Service

HTTPS

Source

Any

Destination

WAN Primary IP

Users Included

All

Users Excluded

None (default)

Schedule

Always on

Comment

Descriptive text, such as SSLVPN LB

Enable logging

Selected

Allow Fragmented Packets

Selected

All other options

Unselected

5
Click Add. The rule is added.
6
Click Close to close the Add Rule window.

Next, create the following NAT policy by going to the Network > NAT Policies page.

7
Click the Add button at the bottom of the Nat Policies table. The Add NAT Policy window is displayed.

8
To create a NAT policy to allow the Web server to initiate traffic to the public Internet using its mapped public IP address, choose the following options:
 

Table 42. Option choices: One-to-many NAT load balancing policy example

Option

Value

Original Source

Any

Translated Source

Original

Original Destination

WAN Primary IP

Translated Destination

Select Create new address object... to bring up the Add Address Object window.

Original Service

HTTPS

Translated Service

HTTPS

Inbound Interface

Any

Outbound Interface

Any

Comment

Descriptive text, such as SSLVPN LB

Enable NAT Policy

Selected

Create a reflective policy

Not selected
9
When done, click on the Add button to add and activate the NAT Policy.
10
Click on the Close button to close the Add NAT Policy window.

Inbound Port Address Translation via One-to-One NAT Policy

This type of NAT policy is useful when you want to conceal an internal server’s real listening port, but provide public access to the server on a different port. In the example below, you modify the NAT policy and rule created in the previous section to allow public users to connect to the private Web server on its public IP address, but via a different port (TCP 9000), instead of the standard HTTP port (TCP 80).

1
Create a custom service for the different port.
a
Go to the Network > Services page.

b
On the Service Objects tab, click the Add… button at the bottom of the tab. The Add Service window displays.

c
Give your custom service a friendly name such as webserver_public_port.
d
Select TCP(6) from the Protocol drop-down menu. The Sub Type drop-down menu is dimmed.
e
For the Port Range fields, enter in 9000 as the starting port number for the service and as its ending port number.
f
When done, click on the Add button to save the custom service. The message Done adding Service object entry displays and the Service Objects tab is updated.

g
Click Close to close the Add Service window
2
Modify the NAT policy created in the previous section that allowed any public user to connect to the Web server on its public IP address.
a
Go to the Network > NAT Policies menu.

b
Click on the Edit button next to this NAT policy. The Edit NAT Policy window is displayed for editing the policy.

c
Edit the NAT policy with the following options:
 

Table 44. Option choices: Inbound port address translation via one-to-one NAT policy example

Option

Value

Original Source

Any

Translated Source

Original

Original Destination

webserver_public_ip

Translated Destination

webserver_private_ip

Original Service

webserver_public_port (or whatever you named it above)

Translated Service

HTTP

Inbound Interface

X1

Outbound Interface

Any

Comment

Enter a short description

Enable NAT Policy

Checked
* 
NOTE: Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).
d
When finished, click on the OK button to add and activate the NAT Policy.

With this policy in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface), and translates the requested protocol (TCP 9000) to the server’s actual listening port (TCP 80).

3
Finally, modify the firewall access rule created in the previous section to allow any public user to connect to the Web server on the new port (TCP 9000) instead of the server’s actual listening port (TCP 80).
a
Navigate to the Firewall > Access Rules page.

 

b
Select the policy for whatever zone you put your server in.
c
Click the Edit button to bring up the previously created policy in the Edit Rule window.

 

d
Edit the following values:
 

Table 45. Option choices: Inbound port address translation via one-to-one NAT policy rule example

Option

Value

Action

Allow

Service

server_public_port (or whatever you named it above)

Source

Any

Destination

webserver_public_ip

Users Allowed

All

Schedule

Always on

Logging

Checked

Comment

Enter a short description
e
Click OK.

When you’re done, attempt to access the Web server’s public IP address using a system located on the public Internet on the new custom port (example: http://67.115.118.70:9000). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.

Inbound Port Address Translation via WAN IP Address

This is one of the more complex NAT policies you can create on a firewall running SonicOS – it allows you to use the WAN IP address of the firewall to provide access to multiple internal servers. This is most useful in situations where your ISP has only provided a single public IP address, and that IP address has to be used by the firewall’s WAN interface (by default, the X1 interface).

Below, you create the programming to provide public access to two internal Web servers via the firewall’s WAN IP address; each is tied to a unique custom port. In the following examples, you set up two, but it is possible to create more than these as long as the ports are all unique.

In this section, there are five tasks to complete:

1
Create two custom service objects for the unique public ports the servers respond on.
2
Create two address objects for the servers’ private IP addresses.
3
Create two NAT entries to allow the two servers to initiate traffic to the public Internet.
4
Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the firewall’s WAN IP address.
5
Create two access rule entries to allow any public user to connect to both servers via the firewall’s WAN IP address and the servers’ respective unique custom ports.
To complete this configuration, perform the following steps:
1
Create a custom service for the two ports.
1
Go to the Firewall > Services page
2
Click the Add button. The Add Service window displays.
3
Give your custom services names such as servone_public_port and servtwo_public_port.
4
Select TCP(6) as the protocol.
5
Enter in 9100 and 9200 as the starting and ending port.
6
After configuring each custom service, click the Add button to save the custom services.
7
After configuring both custom services, click the Close button.
2
Go to the Network > Address Objects page.
1
Click the Add button at the bottom of the page. The Add Address Object window displays.
2
Enter a descriptive name for server’s private IP addresses, such as public_ports, in the Name field.
3
Select the zone that the servers are in from the Zone Assignment drop-down menu.
4
Choose Host from the Type drop-down menu.
5
Enter the server’s private IP addresses in the IP Address field.
6
After configuring the address object, click the Add button to create the address object.
7
Click the Close button to close the window.
3
Go to the Network > NAT Policies page.
1
Click on the Add button at the bottom of the page. The Add NAT Policy window displays.
2
To create a NAT policy to allow the two servers to initiate traffic to the public Internet using the firewall’s WAN IP address, choose the following options:
 

Table 46. Option choices: Two servers to initiate traffic to the Internet example

Option

Server one values

Server two values

Original Source

servone_private_ip

servtwo_private_ip

Translated Source

WAN Primary IP

WAN Primary IP

Original Destination

Any

Any

Translated Destination

Original

Original

Original Service

Any

Any

Translated Service

Original

Original

Inbound Interface

X2

X2

Outbound Interface

X1

X1

Comment

Enter a short description

Enter a short description

Enable NAT Policy

Checked

Checked

Create a reflective policy

Cleared

Cleared
3
After configuring the NAT policy for each server, click the Add button to add and activate that NAT policy.
4
When finished, click the Close button to close the Add NAT Policy window.

With these policies in place, the firewall translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

4
Click the Add button on the Network > NAT Policies page again. The Add NAT Policy window is displayed.
1
To create the NAT policies to map the custom ports to the servers’ real listening ports and to map the firewall’s WAN IP address to the servers’ private addresses, choose the following options:
 

Table 47. Option choices: Mapping custom ports to servers example

Option

Server one values

Server two values

Original Source

Any

Any

Translated Source

Original

Original

Original Destination

WAN Primary IP

WAN Primary IP

Translated Destination

servone_private_ip

servtwo_private_ip

Original Service

servone_public_port

servtwo_public_port

Translated Service

HTTP

HTTP

Inbound Interface

X1

X1

Outbound Interface

Any

Any

NOTE: Make sure you choose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).

Comment

Enter a short description

Enter a short description

Enable NAT Policy

Checked

Checked

Create a reflective policy

Cleared

Cleared
2
After configuring the NAT policy for each server, click the Add button to add and activate that NAT policy.
3
When finished, click the Close button to close the Add NAT Policy window.

With these policies in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface).

5
Create the access rules that allows anyone from the public Internet to access the two Web servers using the custom ports and the firewall’s WAN IP address.
1
Go to the Firewall > Access Rules page
2
Choose the policy for the WAN to Sales zone.
3
Click the Add… button. The Add Rule window displays.
4
To create the Access Rules, enter the following values:
 

Table 48. Option choices: Creating Access Rules example

Option

Server one values

Server two values

Action

Allow

Allow

Service

servone_public_port

servtwo_public_port

Source

Any

Any

Destination

WAN IP address

WAN IP address

Users Allowed

All

All

Schedule

Always on

Always on

Logging

checked

checked

Comment

Enter a short description

Enter a short description
5
After configuring the Access Rule for each server, click the Add button to add and activate that Access Rule.
6
When finished, click the Close button to close the Add Rule window.

When you’re finished, attempt to access the Web servers via the firewall’s WAN IP address using a system located on the public Internet on the new custom port (for example: http://67.115.118.70:9100 and http://67.115.118.70:9200). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.