Create DNAT and firewall rules for internal servers

The example shows how to create a many-to-many destination NAT rule to translate incoming traffic to internal servers. It also shows how to create firewall rules to allow the traffic.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Create a destination NAT rule to translate traffic from external sources to the internal servers.
  • Specify a loopback NAT rule to translate traffic from internal sources to the internal servers.
  • Specify a reflexive NAT rule to translate traffic from the servers. This is a source NAT rule for the internal servers.
  • Load balance traffic among the internal servers.

DNAT network diagram

Destination NAT is typically used to translate incoming traffic that reaches the WAN IP addresses. The following network information is illustrative:

  • Pre-NAT IP address of web servers: 11.8.9.28
  • Post-NAT IP addresses of web servers: 10.145.15.42, 10.145.15.114


In this example, you specified the following:

  • Destination NAT from external source to internal web servers with port translation: Any to Web server public IP address (11.8.9.28) translated to Web server internal IP list (10.145.15.42, 10.145.15.114) with port translation from TCP 8888 to TCP 4444.
  • Loopback rule to translate traffic from internal source to internal web servers: Network LAN (10.145.16.10/24) to Web server public IP address (11.8.9.28) translated to Web server internal IP list (10.145.15.42, 10.145.15.114) with port translation from TCP 8888 to TCP 4444.
  • Reflexive rule to translate traffic from the web server to external and internal destinations: Web server internal IP list (10.145.15.42, 10.145.15.114) to Any.
  • Load balancing method for the web servers.
  • Firewall rule to allow traffic from external networks to the internal web servers in DMZ.
  • Firewall rule to allow traffic from an internal network to the internal web servers.
  • Firewall rule to allow traffic from the internal web servers to any network.

Specify the NAT rule settings

  1. Go to Rules and policies > NAT rules. Select IPv4 or IPv6 and then select Add NAT rule.
  2. Specify the rule name and rule position.
  3. In this example, specify the translation settings for incoming traffic to the web servers:

    Name

    Description

    Original source

    Any

    Translated source (SNAT)

    Original

    Original destination

    Webserver_PublicIPAddress

    Translated destination (DNAT)

    Webserver_InternalIPAddressList

    Original service

    TCP port 8888

    Select Create new and set the Destination port to 8888.

    Translated service (PAT)

    TCP port 4444

    Select Create new and set the Destination port to 4444.

    Inbound interface

    Any

    Alternatively, you can specify Port1 in this example.

    Outbound interface

    Any

  4. Select Create loopback rule to translate traffic from internal users to the internal web servers.
  5. Select Create reflexive rule to create a source NAT rule that translates traffic from the web servers.
  6. Load balancing method to load balance traffic between the web servers in this example: Round-robin
  7. Click Save.

    The following image shows an example of how to configure the settings:


    DNAT rule for webserver
Create firewall rules to allow traffic that matches the destination NAT rule, loopback rule, and reflexive NAT rule.

Specify firewall rule settings for the DNAT rule

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and rule position.
  3. Specify the source, destination, and services as follows:

    Name

    Description

    Source zones

    WAN

    Source networks and devices

    Any

    Destination zones

    DMZ

    Destination networks

    Webserver PublicIPAddress

    Services

    TCP port 8888, TCP port 4444
  4. Specify the security settings and click Save.
    The following image shows an example of how to configure the settings:

    Firewall rule inbound webserver
You created a firewall rule to allow traffic from external sources to the internal web servers.

Specify firewall rule settings for the loopback rule

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and rule position.
  3. Specify the source, destination, and services as follows:

    Name

    Description

    Source zones

    LAN

    Source networks and devices

    Network_LAN

    Destination zones

    DMZ

    Destination networks

    Webserver PublicIPAddress

    Services

    TCP port 8888, TCP port 4444

  4. Specify the security settings and click Save.

    The following image shows an example of how to configure the settings:


    Firewall rule LAN to webserver
You created a firewall rule to allow traffic from the internal network to the internal web servers.

Specify firewall rule settings for reflexive NAT rule

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and rule position.
  3. Specify the source, destination, and services as follows:

    Name

    Description

    Source zones

    DMZ

    Source networks and devices

    Webserver InternalIPAddressList

    Destination zones

    Any

    Destination networks

    Any

    Services

    TCP port 8888, TCP port 4444

  4. Specify the security settings and click Save.

    The following image shows an example of how to configure the settings:


    Firewall rule outbound webserver traffic
You created a firewall rule to allow traffic from the internal web servers to internal and external networks.