Skip to content

Add a NAT rule

You can create NAT rules to modify the IP addresses and ports for traffic flowing between networks, generally between a trusted and an untrusted network.

You can specify source NAT rules for traffic originating from the specified source address and destination NAT rules for traffic to the specified destination address. You can also specify loopback policies to translate traffic from internal sources to internal servers.

To create a source NAT (SNAT) rule, specify the original and translated sources and the inbound and outbound interfaces.

To create a destination NAT (DNAT) rule, specify the original and translated destinations and services, and the inbound and outbound interfaces. You can enforce load balancing and failover for internal servers using DNAT rules. You must specify the Health check settings if you want the firewall to determine whether a server is available.

  1. Go to Rules and policies > NAT rules, select IPv4 or IPv6 and click Add NAT rule.
    The rule is turned on by default.
  2. Enter the rule details.

    Name Description
    Rule name Enter a name.
    Rule position

    Specify the position of the rule in the rule table:

    • Top
    • Bottom
    Sophos Firewall evaluates rules in the listed order until it finds a match and doesn’t evaluate subsequent rules. To change the order of the rules later, you can drag and drop the rule in the rule table.
  3. Specify the translation settings for source, destination, services, and interfaces to match traffic flowing through interfaces and VPN tunnels.

    Original source, destination, and service are the pre-NAT entities of traffic when it enters Sophos Firewall. Translated source, destination, and services are the post-NAT entities of traffic when it exits Sophos Firewall. You can select the original source, destination, and services or create new ones.

    Name Description
    Original source Specify the pre-NAT source objects of outgoing traffic. To create an inbound NAT rule when the inbound IP address is unknown, select Any.
    Translated source (SNAT)

    IP addresses of the original source objects are translated to the IP addresses that you specify. Use this to perform source NAT (SNAT) for outgoing traffic.

    To masquerade traffic, select MASQ. By default, masquerading translates the original IP address to the outbound interface IP address. However, for route-based VPNs configured with Any for the local and remote subnets or IP version set to Dual, the firewall translates the original source to the XFRM IP address for the translated source set to MASQ.

    To create an inbound NAT rule, select Original.

    Original destination Specify the pre-NAT destination objects of incoming traffic. To create an outbound NAT rule, select Any.
    Translated destination (DNAT) IP addresses of the destination objects are translated to the IP addresses or FQDN that you specify. To create an outbound NAT rule, select Original.
    Original service Specify the pre-NAT services. Services are a combination of protocols and ports. To create an outbound NAT rule, this is generally set to Any.
    Translated service (PAT) Original services are translated to the services that you specify. Use this for port address translation (PAT). If you've specified more than one original service or set it to Any, set the translated service to Original.

    The translated protocol must match the original protocol. You can translate original service ports to a single or equal number of translated service ports.

    You can use this to port forward traffic to internal servers, for example, specify TCP port 443 to forward incoming HTTPS traffic to an internal web server.
    Inbound interface Select the interfaces through which traffic specified in this rule enters Sophos Firewall.

    For destination NAT, you can specify Any.

    For VPNs, set this interface to Any, since VPNs are not interfaces.
    Outbound interface Select the interfaces from which traffic specified in this rule exits Sophos Firewall.

    For VPNs and for destination NAT rules that translate public IP addresses to private IP addresses, set this interface to Any.
  4. Select Override source translation for specific outbound interfaces to apply interface-specific source translation. This option applies only to source NAT rules.

    1. Select an option in Outbound interface and Translated source (SNAT). To specify more than one, select Expand Expand button..
  5. Select Create loopback rule to allow internal hosts to access other internal hosts, for example, servers.

  6. Select Create reflexive rule to create a mirror rule that reverses the matching criteria of the rule from which it’s created.


    You can create loopback and reflexive rules for destination NAT rules. They are created, using the original NAT rule ID and name. Changing the original NAT rule settings later doesn’t change loopback and reflexive rule settings.

  7. Select a Load balancing method from the following options to send requests to the internal hosts (translated destination):

    • Round robin: Sends requests to each server sequentially.
    • First alive: Sends requests to the first available server.
    • Random: Sends requests to the servers randomly.
    • Sticky IP: Sends the request to a server based on the source and original destination IP address hash. The source-destination mapping allows the firewall to send requests to the same server, maintaining session persistence.
    • One-to-one: Performs one-to-one mapping of the original and translated destination IP addresses in the listed order and sends requests according to this mapping. To save the rule, make sure the original and translated destinations have an equal number of IP addresses.

    See Load balancing and failover.


    You must select Health check and specify the settings if you want the firewall to determine whether a server is available.

    If you don't select the health check settings, the firewall considers all servers available and can send traffic to an unavailable server, resulting in packet drops.

  8. Select Health check to send requests only to the live servers and enforce server failover. Specify the probe interval, response time-out, and the number of retries after which to deactivate the host.

    Health check is enforced by default for First alive NAT method.

    1. Select the probe method. You can select ICMP (ping) or TCP protocols.
    2. Enter the port over which to check.
    3. Specify the probe interval. It’s the interval between health checks.
    4. Specify the response time-out. The server must respond within this time period to be considered alive.
    5. For Deactivate host after, specify the number of retries.
  9. Click Save.

More resources