Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT) are both special cases of NAT. With SNAT, the IP address of the computer which initiated the connection is rewritten, while with its counterpart DNAT, the destination addresses of data packets are rewritten. DNAT is especially useful when your internal network uses private IP addresses, but you want to make some services available to the outside.
This is best demonstrated with an example. Suppose your internal network uses the address space 192.168.0.0/255.255.255.0 and a webserver running at IP address 192.168.0.20 port 80 should be available to Internet-based clients. Because the 192.168. address space is private, the Internet-based clients cannot send packets directly to the webserver. It is, however, possible for them to communicate with the external (public) address of Sophos UTM on AWS. DNAT can, in this case, take packets addressed to port 80 of the system’s address and forward them to the internal webserver.
Note – PPTP VPN Access is incompatible with DNAT.
In contrast to masquerading, which always maps to the primary network interface address, SNAT maps the source address to the address specified in the SNAT rule.
1:1 NAT is a special case of DNAT or SNAT. In this case all addresses of an entire network are being translated one-to-one into the addresses of another network having the same netmask. So the first address of the original network will be translated into the first address of the other network, the second into the second and so on. A 1:1 NAT rule can be applied to either the source or the destination address.
Note – By default, port 443 (HTTPS) is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCP port of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.
Because DNAT is done before firewalling, you must ensure that appropriate firewall rules are defined. For more information, see Network Protection > Firewall > Rules.
To define a NAT rule, proceed as follows:
On the NAT tab, click New NAT Rule.
The Add NAT Rule dialog box opens.
Make the following settings:
Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.
Rule type: Select the network address translation mode. Depending on your selection, various options will be displayed. The following modes are available:
- SNAT (source): Maps the source address of defined IP packets to one new source address. The service can be changed, too.
- DNAT (destination): Maps the destination address of defined IP packets to one new destination address. The service can be changed, too.
- 1:1 NAT (whole networks): Maps IP addresses of a network to another network one-to-one. The rule applies either for the source or for the destination address of the defined IP packets.
- Full NAT (source + destination): Maps both the source address and the destination address of defined IP packets to one new source and one new destination address. The source service and the target service can be changed, too.
- No NAT: This option can be regarded as a kind of exception rule. For example, if you have a NAT rule for a defined network you can create a No NAT rule for certain hosts inside this network. Those hosts will then be exempted from NAT.
Note – You have to add the SNAT rules before you activate the Web Filter. Sophos UTM on AWS priorities Web Filter settings higher than SNAT rules. If you select a SNAT rule while the Web Filter is activated the rule may not work. You can activate or deactivate the Web Filter on the Web Protection > Web Filtering > Global page.
Matching Condition: Add or select the source and destination network/host and the service for which you want to translate addresses. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
- For traffic from: The original source address of the packets. This can be either a single host or an entire network, or, except for the 1:1 NAT rule type, a network range.
Using service: The original service type of the packets (consisting of source and destination ports as well as a protocol type).
Note – A traffic service can only be translated when the corresponding addresses are translated as well. In addition, a service can only be translated to another service when the two services use the same protocol.
- Going to: The original destination address of the packets. This can be either a single host or an entire network. With SNAT and No NAT, it can also be a network range.
Action: Add or select the source and/or destination and/or the service type into which you want to translate the original IP packet data. The displayed parameters depend on the selected Rule type. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
- Change the source to (only with SNAT or Full NAT mode): Select the source host, that is, the new source address of the packets.
- Change the destination to (only with DNAT or Full NAT mode): Select the destination host, that is, the new destination address of the packets.
- And the service to (only with DNAT, SNAT or Full NAT mode): Select the new service of the packets. Depending on the selected Rule type this can be the source and/or destination service.
1:1 NAT mode (only with 1:1 NAT rule type): Select one of the following modes:
- Map destination: Changes the destination address.
- Map source: Changes the source address.
Note – You need to add an entire network into the field For traffic from when you want to map the source, or into the field Going to when you want to map the destination.
- Map to (only with 1:1 NAT mode): Select the network you want to translate the original IP addresses into. Please note that the original network and the translated network must have the same netmask.
Automatic firewall rule (optional): Select this option to automatically generate firewall rules to allow the corresponding traffic passing through the firewall.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this option if you want to apply the rule to traffic which is going to be processed by IPsec. By default this option is not selected, thus IPsec traffic is excluded from source network address translation.
Log initial packets (optional): Select this option if you want to write the initializing packet of a communication to the firewall log. Whenever the NAT rule is used, you will then find a message in the firewall log saying "Connection using NAT". This option works for stateful as well as stateless protocols.
The new rule appears on the NAT list.
Enable the NAT rule.The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.