Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
Focus
Focus

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Table of Contents
End-of-Life (EoL)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

When your public-facing servers have private IP addresses assigned on the network segment where they are physically located, you need a source NAT rule to translate the source address of the server to the external address upon egress. You create a static NAT rule to translate the internal source address, 10.1.1.11, to the external web server address, 203.0.113.11 in our example.
However, a public-facing server must be able to both send and receive packets. You need a reciprocal policy that translates the public address (the destination IP address in incoming packets from Internet users) into the private address so that the firewall can route the packet to your DMZ network. You create a bi-directional static NAT rule, as described in the following procedure. Bi-directional translation is an option for static NAT only.
  1. Create an address object for the web server’s internal IP address.
    1. Select
      Objects
      Addresses
      and
      Add
      a
      Name
      and optional
      Description
      for the object.
    2. Select
      IP Netmask
      from the
      Type
      list and enter the IP address of the web server on the DMZ network, 10.1.1.11 in this example.
    3. Click
      OK
      .
      If you did not already create an address object for the public address of your web server, you should create that object now.
  2. Create the NAT policy.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a descriptive
      Name
      for the NAT rule.
    3. On the
      Original Packet
      tab, select the zone you created for your DMZ in the
      Source Zone
      section (click
      Add
      and then select the zone) and the zone you created for the external network from the
      Destination Zone
      list.
    4. In the
      Source Address
      section,
      Add
      the address object you created for your internal web server address.
    5. On the
      Translated Packet
      tab, select
      Static IP
      from the
      Translation Type
      list in the
      Source Address Translation
      section and then select the address object you created for your external web server address from the
      Translated Address
      list.
    6. In the
      Bi-directional
      field, select
      Yes
      .
    7. Click
      OK
      .
  3. Commit.
    Click
    Commit
    .

Recommended For You