Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT) are both special cases of NAT. With SNAT, the IP address of the computer which initiated the connection is rewritten, while with its counterpart DNAT, the destination addresses of data packets are rewritten. DNAT is especially useful when your internal network uses private IP addresses, but you want to make some services available to the outside.

This is best demonstrated with an example. Suppose your internal network uses the address space and a webserver running at IP address port 80 should be available to Internet-based clients. Because the 192.168. address space is private, the Internet-based clients cannot send packets directly to the webserver. It is, however, possible for them to communicate with the external (public) address of Sophos UTM. DNAT can, in this case, take packets addressed to port 80 of the system’s address and forward them to the internal webserver.

Note – PPTP VPN Access is incompatible with DNAT.

In contrast to masquerading, which always maps to the primary network interface address, SNAT maps the source address to the address specified in the SNAT rule.

1:1 NAT is a special case of DNAT or SNAT. In this case all addresses of an entire network are being translated one-to-one into the addresses of another network having the same netmask. So the first address of the original network will be translated into the first address of the other network, the second into the second and so on. A 1:1 NAT rule can be applied to either the source or the destination address.

Note – By default, port 443 (HTTPSClosed) is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCPClosed port of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.

Because DNAT is done before firewalling, you must ensure that appropriate firewall rules are defined. For more information, see Network Protection > Firewall > Rules.

To define a NAT rule, proceed as follows:

  1. On the NAT tab, click New NAT Rule.

    The Add NAT Rule dialog box opens.

  2. Make the following settings:

    Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.

    Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

    Rule type: Select the network address translation mode. Depending on your selection, various options will be displayed. The following modes are available:

    Matching Condition: Add or select the source and destination network/host and the service for which you want to translate addresses. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

    Action: Add or select the source and/or destination and/or the service type into which you want to translate the original IP packet data. The displayed parameters depend on the selected Rule type. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

    Automatic firewall rule (optional): Select this option to automatically generate firewall rules to allow the corresponding traffic passing through the firewall.

    Comment (optional): Add a description or other information.

  3. Optionally, make the following advanced settings:

    Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this option if you want to apply the rule to traffic which is going to be processed by IPsec. By default this option is not selected, thus IPsec traffic is excluded from source network address translation.

    Log initial packets (optional): Select this option if you want to write the initializing packet of a communication to the firewall log. Whenever the NAT rule is used, you will then find a message in the firewall log saying "Connection using NAT". This option works for stateful as well as stateless protocols.

  4. Click Save.

    The new rule appears on the NAT list.

  5. Enable the NAT rule.

    The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.
To either edit or delete a rule, click the corresponding buttons.
© 2019 Sophos LimitedSophos UTM 9.600