Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=g5k_pmn_ljb

Create a source NAT rule

This example shows how to create a source NAT rule to translate outgoing traffic from the LAN zone.

Objectives

When you complete this unit, you'll know how to do the following:

  • Create a source NAT rule to translated outgoing traffic from the LAN.
  • Create a firewall rule to allow outgoing traffic from LAN to WAN zone.

SNAT network diagram

Source NAT is typically used to translate outgoing traffic from the internal network to external resources on the internet. The source IP address is translated, keeping it private. The following network information is illustrative:

  • Pre-NAT IP address of LAN users: 10.145.16.10/24
  • Post-NAT IP address of LAN users: MASQ (IP address of the applicable outbound interface)

Network diagram: Source NAT.

Here's an example:

  • Source NAT from the internal network to WAN: Network LAN (10.145.16.0/24) to Any
  • Firewall rule to allow traffic from LAN zone to WAN: LAN to Any

Specify the NAT rule settings

  1. Go to Rules and policies > NAT rules, select IPv4 or IPv6 and click Add NAT rule.
  2. Specify the rule name and rule position.

  3. Select the translation settings for outgoing traffic.

    Name Description
    Original source Network_LAN
    Translated source (SNAT) MASQ
    Original destination Any
    Translated destination (DNAT) Original
    Original service Any
    Translated service (PAT) Original
    Inbound interface Port3
    Outbound interface Port1

  4. Click Save.

    The following image shows an example of how to configure the settings:

    Source NAT rule settings.

Create a firewall rule to allow traffic that matches the source NAT rule.

Specify firewall rule settings for SNAT traffic

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and rule position.

  3. Specify the source, destination, and services as follows:

    Name Description
    Source zones LAN
    Source networks and devices Network LAN
    Destination zones WAN
    Destination networks Any
    Services Any

  4. Specify the security settings and click Save.

    Firewall rule corresponding to the source NAT rule.

You created a firewall rule to allow traffic from the LAN zone to external networks.

More resources