Network address translation and how it works

Network address translation (NAT) changes the source or destination IP address or port for packets traversing the firewall.

NAT is most often used to hide internal networks behind a single or just a few routable IP addresses on the external network. NAT is also often used to translate an external, routable destination address into the private internal address of a server. For destination NAT, port translation (sometimes referred to as PAT) is also possible when the protocol in question uses ports. Port translation can be used to redirect a standard service, such as HTTP (port 80/TCP), to a non-standard port (for example, port 8080/TCP). The NAT rules are stored in policy elements.

NAT is applied to traffic that has been already been allowed by Access rules that have connection tracking enabled. If you have Access rules that turn off connection tracking for some traffic, you cannot use address translation with those connections.

There are five possible methods for network address translation (these methods are explained in more detail in the next sections):
  • Static source translation, which translates each single IP address to some other single IP address (one-to-one relationship).
  • Dynamic source translation, which translates several IP addresses to a single IP address or a small pool of IP addresses (many-to-one/many-to-some relationship) differentiated by port. This method is not supported with Multi-Link if the Loose connection tracking mode is used.
  • Static destination translation, which translates each single IP address to some other single IP address (one-to-one relationship).
  • Destination port translation, which translates a port to a different one (one-to-one relationship).
  • Both source translation and destination translation for the same connection.

Dynamic destination translation is done automatically as part of the Server Pool feature.

Also, when NAT is applied, return address translation is needed to allow reply packets to reach the correct sender or to show the source address that the destination host expects. However, return address translation does not normally need configuration as it is applied automatically with the help of connection tracking.