The most common mistakes when configuring NAT and security
rules are the references to the zones and address objects. The addresses
used in destination NAT rules always refer to the original IP address
in the packet (that is, the pre-translated address). The destination
zone in the NAT rule is determined after the route lookup of the
destination IP address in the original packet (that is, the pre-NAT
destination IP address).
The addresses in the security policy also refer to the IP address
in the original packet (that is, the pre-NAT address). However,
the destination zone is the zone where the end host is physically
connected. In other words, the destination zone in the security
rule is determined after the route lookup of the post-NAT destination
In the following example of a one-to-one destination NAT mapping,
users from the zone named Untrust-L3 access the server 10.1.1.100
in the zone named DMZ using the IP address 192.0.2.100.
Before configuring the NAT rules, consider the sequence of events
for this scenario.
Host 192.0.2.250 sends an ARP
request for the address 192.0.2.100 (the public address of the destination
The firewall receives the ARP request packet for destination
192.0.2.100 on the Ethernet1/1 interface and processes the request.
The firewall responds to the ARP request with its own MAC address
because of the destination NAT rule configured.
The NAT rules are evaluated for a match. For the destination
IP address to be translated, a destination NAT rule from zone Untrust-L3
to zone Untrust-L3 must be created to translate the destination
IP of 192.0.2.100 to 10.1.1.100.
After determining the translated address, the firewall performs
a route lookup for destination 10.1.1.100 to determine the egress
interface. In this example, the egress interface is Ethernet1/2
in zone DMZ.
The firewall performs a security policy lookup to see if
the traffic is permitted from zone Untrust-L3 to DMZ.
direction of the policy matches the ingress zone and the zone where
the server is physically located.
policy refers to the IP address in the original packet, which has
a destination address of 192.0.2.100.
The firewall forwards the packet to the server out egress
interface Ethernet1/2. The destination address is changed to 10.1.1.100
as the packet leaves the firewall.
For this example, address objects are configured for webserver-private
(10.1.1.100) and Webserver-public (192.0.2.100). The configured
NAT rule would look like this:
The direction of the NAT rules is based on the result of route
The configured security policy to provide access to the server
from the Untrust-L3 zone would look like this: