The firewall supports both source address and/or port translation and destination address and/or port translation.
Source NAT
Source NAT is typically used by internal users to access the internet; the source address is translated and thereby kept private. There are three types of source NAT:
Dynamic IP and Port (DIPP) —Allows multiple hosts to have their source IP addresses translated to the same public IP address with different port numbers. The dynamic translation is to the next available address in the NAT address pool, which you configure as a Translated Address pool be to an IP address, range of addresses, a subnet, or a combination of these.
As an alternative to using the next address in the NAT address pool, DIPP allows you to specify the address of the Interface itself. The advantage of specifying the interface in the NAT rule is that the NAT rule will be automatically updated to use any address subsequently acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network address port translation (NAPT).
DIPP has a default NAT oversubscription rate, which is the number of times that the same translated IP address and port pair can be used concurrently. For more information, see Dynamic IP and Port NAT Oversubscription and Modify the Oversubscription Rate for DIPP NAT.
Dynamic IP —Allows the one-to-one, dynamic translation of a source IP address only (no port number) to the next available address in the NAT address pool. The size of the NAT pool should be equal to the number of internal hosts that require address translations. By default, if the source address pool is larger than the NAT address pool and eventually all of the NAT addresses are allocated, new connections that need address translation are dropped. To override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable use of DIPP addresses when necessary. In either event, as sessions terminate and the addresses in the pool become available, they can be allocated to translate new connections.
Dynamic IP NAT supports the option for you to Reserve Dynamic IP NAT Addresses.
Static IP —Allows the 1-to-1, static translation of a source IP address, but leaves the source port unchanged. A common scenario for a static IP translation is an internal server that must be available to the internet.
Destination NAT
Destination NAT is performed on incoming packets, when the firewall translates a public destination address to a private address. Destination NAT also offers the option to perform port forwarding or port translation.
Destination NAT is a one-to-one, static translation that you can configure in several formats. You can specify that the original packet have a single destination IP address, a range of IP addresses, or a list of single IP addresses, as long as the translated packet is in the same format and specifies the same number of IP addresses . The firewall statically translates an original destination address to the same translated destination address each time. That is, if there is more than one destination address, the firewall translates the first destination address configured for the original packet to the first destination address configured for the translated packet, and translates the second original destination address configured to the second translated destination address configured, and so on, always using the same translation.
For example, the firewall allows the following destination NAT translations:
Original Packet’s Destination Address Maps to Translated Packet’s Destination Address Notes
192.168.1.1 2.2.2.2 Original packet and translated packet each have one possible destination address.
192.168.1.1-192.168.1.4 2.2.2.1-2.2.2.4 Original packet and translated packet each have four possible destination addresses: 192.168.1.1 always maps to 2.2.2.1 192.168.1.2 always maps to 2.2.2.2 192.168.1.3 always maps to 2.2.2.3 192.168.1.4 always maps to 2.2.2.4
192.168.1.7 192.168.1.4 192.168.1.253 192.168.1.1 2.2.2.1 2.2.2.2 2.2.2.3 2.2.2.4 Original packet and translated packet each have four possible destination addresses: 192.168.1.7 always maps to 2.2.2.1 192.168.1.4 always maps to 2.2.2.2 192.168.1.253 always maps to 2.2.2.3 192.168.1.1 always maps to 2.2.2.4
192.168.1.1/30 2.2.2.1/30 Original packet and translated packet each have four possible destination addresses: 192.168.1.1 always maps to 2.2.2.1 192.168.1.2 always maps to 2.2.2.2 192.168.1.3 always maps to 2.2.2.3 192.168.1.4 always maps to 2.2.2.4
One common use of destination NAT is to configure several NAT rules that map a single public destination address to several private destination host addresses assigned to servers or services. In this case, the destination port numbers are used to identify the destination hosts. For example:
Port Forwarding —Can translate a public destination address and port number to a private destination address, but keeps the same port number. Port Translation —Can translate a public destination address and port number to a private destination address and a different port number, thus keeping the real port number private. It is configured by entering a Translated Port on the Translated Packet tab in the NAT policy rule. See the Destination NAT with Port Translation Example.

Related Documentation