Element-based NAT and how it works
With element-based NAT, you select which elements have their own NAT address and define the NAT addresses for those elements.
What element-based NAT does
You can add NAT definitions to the following types of elements:
- Engines — Single Firewalls, Firewall Clusters, Master Engines, and Virtual Firewalls
- Servers — Active Directory Servers, DHCP Servers, Elasticsearch Clusters, External DNS Servers, ICAP Servers, LDAP Servers, Log Servers, Management Servers, NTP Servers, Proxy Servers, RADIUS Authentication Servers, SMTP Servers, TACACS+ Authentication Servers, and Web Portal Servers
- Some elements in the Network Elements branch of the Configuration view, for example, Address Ranges, Groups, Hosts, Networks, and Routers.
In addition to using element-based NAT, you can manually add NAT rules to the Firewall Policy if you want to configure NAT in more detail. Remember, however, that a more specific manually created NAT rule might prevent traffic from matching NAT rules that are automatically generated from NAT definitions. For more information about manually adding NAT rules, see the topic that explains how firewall NAT rules work.
You can also use a default NAT address for all internal networks to automatically translate traffic from internal networks to the public IP address of the external interface. This can be useful, for example, in simple network environments. Default NAT can only be selected in the engine properties.
An internal element that has a static NAT definition can be used in the Destination cell of an Access rule. Traffic also matches the destination IP address that corresponds to the element’s public IP address in the NAT definition.
What do I need to know before I begin?
- NAT rules are automatically generated and organized in the Firewall Policy based on the NAT definitions created in the element properties.
- NAT rules generated from NAT definitions are not visible in the Firewall Policy, and are applied after the NAT rules that you have added manually to the policy.
- The Secure SD-WAN Manager automatically generates both the source and destination NAT rules from the NAT definitions.