A network address translation (NAT) policy rule allows you to translate private, nonroutable IPv4 addresses to one or more globally routable IPv4 addresses to conserve your organization’s routable IP addresses. NAT allows you not to disclose the real IP addresses of hosts who need access to public addresses and to manage traffic by performing port forwarding. You can use NAT to solve network design challenges, enabling networks with identical IP subnets to communicate with each other. The firewall supports NAT on Layer 3 and virtual wire interfaces.

At a minimum, You configure a NAT policy rule to match a packet’s source zone and destination zone. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service. You can configure multiple NAT rules. The firewall evaluates the rules in order from the top down. Once a packet matches the criteria of a single NAT rule, the packet isn’t subjected to additional NAT rules. Therefore, your list of NAT rules should be in order from most specific to least specific so that packets are subjected to the most specific rule you created for them. Static NAT policy rules don’t have precedence over other forms of NAT. Therefore, for static NAT to work, the static NAT policy rules must be above all other NAT policy rules in the list on the firewall.

NAT policy rules provide address translation, and are different from Security policy rules, which allow or deny packets. It’s important to understand the firewall’s flow logic when it applies NAT rules and Security policy rules. This allows you to determine what rules you need, based on the zones you’ve defined. Security policy rules are required to allow NAT traffic.

Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT policy rules that have been defined, based on source and destination zone. It then evaluates and applies any Security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT policy rule, the firewall translates the source and destination address and port numbers. Keep in mind that the translations of the IP address and port don’t occur until the packet leaves the firewall. The NAT policy rules and Security policy rules apply to the original IP address (the pre-NAT address). A NAT policy rule is configured based on the zone associated with a pre-NAT IP address.