How to configure NAT

You can configure Network Address Translation (NAT) for forwarded and system-generated traffic.

NAT rules for forwarded traffic

You can translate forwarded traffic, that is, traffic passing through the firewall, including port forwarding, using SNAT and DNAT rules.

Configure linked NAT rules

Create a firewall rule with a linked NAT rule
Configure SNAT

Create a source NAT rule

Create a source NAT rule for a mail server (legacy mode)

Configure DNAT

Use SD-WAN routes for DNAT
Translate or forward ports

Create Port Address Translation (PAT) rule for traffic to internal servers

Configure a port forwarding rule

Overlapping subnets in site-to-site IPsec tunnels

You must use the NAT settings in IPsec configurations to translate traffic when the subnets are the same in the local and remote firewalls.

Policy-based IPsec VPN

NAT with policy-based IPsec VPN
Route-based VPN (Tunnel interface)

NAT with route-based IPsec VPN

NAT for system-generated traffic and interfaces

You can translate system-generated traffic using the CLI. You can use the sys-traffic-nat command to translate the firewall interfaces and services, such as authentication and DHCP traffic.

You can also use the translation for requests to firewall services through VPN tunnels.

Interface translation

Configure NAT for system-generated traffic
Use SNAT with site-to-site IPsec tunnels

HO firewall as DHCP server and BO firewall as relay agent

Route system-generated authentication queries through an IPsec tunnel