Configuring NAT

Types of NAT  

• SNAT – Translates source IP address and source port 

• DNAT – Translations the destination IP address and destination port 

• NAT64 – Translations IPv6 to IPv4 

• NAT46 – Translates IPv4 to IPv6 

• NAT66 – Translates IPv6 to IPv6 

• SNAT uses the outgoing interface address or configured IP pool 

• DNAT uses the configured Virtual IP (VIP) as the destination address. 

Configuring SNAT 

• There are 2 ways to configure SNAT, Policy & Objects > select a policy > Use Outgoing Interface Address or Use Dynamic Pool 

• To create an IP pool for NAT: 

1. 1. Policy & Objects > IP Pools 

   2. Choose either: Overload (Default - PAT), One to One, Fixed port range (CG-NAT), Port block allocation (CG-NAT).  

   3. One to One mapping is allocated to one internal host at a time on a first-come first-serve basis. Fixed port range is used by ISP enable multiple hosts to share a single IP address.  

   4. Port block allocation enables you specify the range of external addresses. 

   5. After creating the IP Pool for NAT, go to Policy & Objects > Firewall Policy > select Use Dynamic IP Pool > select the newly create IP pool. 

Troubleshooting Fixed Port Range

• Use the following commands to troubleshoot Fixed Port Range: 

  • diagnose firewall ippool list – Check the IP block size and number of blocks for IP pool 

  • diagnose firewall ippool-fixed-range list natip <IP address> - Detailed external address and port assignment per internal address. Find where an external address is used within NAT. 

  • diagnose firewall ippool-fixed-range list natip <IP address> <port> - Obtain a specific port block for internal address 

Virtual IP (VIP) 

• VIPs are DNAT objects that's currently used within Static NAT and Port Forwarding. 

• To create a VIP, Policy & Objects  > Virtual IPs 

• To assign a VIP, Policy & Objects > Firewall Policy > select a policy >, Policy & Objects  

• Firewall policies and VIPs are stored separately. 

Configuring Central NAT 

• By default, Central NAT is disable. 

• Enable Central NAT, System > Settings > Central SNAT 

• When Central NAT is enable, you can configure it on Policy & Objects > Central SNAT 

• The following are SNAT policy matching criteria: 

  • Incoming interface 

  • Outgoing interface 

  • Source address 

  • Destination address 

  • Protocol 

  • Source port  

• When Central NAT is enable, VIPs and Firewall Policies are no longer reference. 

• DNAT takes place before firewall policy lookup 

Troubleshooting

• List all configured NAT IP pools with NAT IP ranges and type: 

  • diagnose firewall ippool-all list 

• List stats for all of the IP pools: 

  • diagnose firewall ippool-all stats <IP pool name>