NAT Policy Configuration
You can configure NAT policies in different ways to manage specific network needs. You can:
- Expose an internal server to an external network.
In this configuration, you define a static translation from an external IP address to an internal IP address so the system can access an internal server from outside the network. Traffic sent to the server targets the external IP address or IP address and port, and is translated into the internal IP address or IP address and port. Return traffic from the server is translated back to the external address.
- Allow an internal host/server to connect to an external
application.
In this configuration, you define a static translation from an internal address to an external address. This definition allows the internal host or server to initiate a connection to an external application that is expecting the internal host or server to have a specific IP address and port. Therefore, the system cannot dynamically allocate the address of the internal host or server.
-
Hide private network addresses from an external network.
You can obscure your internal network addresses using either of the following configurations:
-
If you have a sufficient number of external IP addresses to satisfy your internal network needs, you can use a block of IP addresses. In this configuration, you create a dynamic translation that automatically converts the source IP address of any outgoing traffic to an unused IP address from your externally facing IP addresses.
-
If you have an insufficient number of external IP addresses to satisfy your internal network needs, you can use a limited block of IP addresses and port translation. In this configuration, you create a dynamic translation that automatically converts the source IP address and port of outgoing traffic to an unused IP address and port from your externally facing IP addresses.
-
Caution |
In 7000 or 8000 Series device high-availability pairs, only select an individual peer interface for a static NAT rule on a paired device if all networks affected by the NAT translations are private. Do not use configurations for static NAT rules affecting traffic between public and private networks. |
NAT Policies Configuration Guidelines
To configure a NAT policy, you must give the policy a unique name and identify the devices, or targets, where you want to deploy the policy. You can also add, edit, delete, enable, and disable NAT rules. After you create or modify a NAT policy, you can deploy the policy to all or some targeted devices.
You can deploy NAT policies to a 7000 or 8000 Series device high-availability pair, including paired stacks, as you would a standalone device. However, you can define static NAT rules for interfaces on individual paired devices or the entire high-availability pair and use the interfaces in source zones. For dynamic rules, you can use only the interfaces on the whole high-availability pair in source or destination zones.
Caution |
In 7000 or 8000 Series device high-availability pairs, only select an individual peer interface for a static NAT rule on a paired device if all networks affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting traffic between public and private networks. |
If you configure dynamic NAT on a device high-availability pair without HA link interfaces established, both paired devices independently allocate dynamic NAT entries, and the system cannot synchronize the entries between devices.
You can deploy NAT policies to a device stack as you would a standalone device. If you establish a device stack from devices that were included in a NAT policy and had rules associated with interfaces from the secondary device that was a member of the stack, the interfaces from the secondary device remain in the NAT policy. You can save and deploy policies with the interfaces, but the rules do not provide any translation.
Note |
Active FTP is not supported on a 7000 or 8000 series device with NAT configured, use passive FTP instead. |
In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can target NAT policies to devices in descendant domains, which descendant domains can use or replace with customized local policies