Destination NAT

Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates a public destination address to a private destination address. Destination NAT also offers the option to perform port forwarding or port translation.
Destination NAT is a one-to-one, static translation that you can configure in several formats. You can specify that the original packet have a single destination IP address, a range of IP addresses, or a list of single IP addresses, as long as the translated packet is in the same format and specifies the same number of IP addresses. The firewall statically translates an original destination address to the same translated destination address each time. That is, if there is more than one destination address, the firewall translates the first destination address configured for the original packet to the first destination address configured for the translated packet, and translates the second original destination address configured to the second translated destination address configured, and so on, always using the same translation.
For example, the firewall allows the following destination NAT translations:
Original Packet’s Destination Address
Maps to Translated Packet’s Destination Address
Notes
192.168.1.1
2.2.2.2
Original packet and translated packet each have one possible destination address.
192.168.1.1-192.168.1.4
2.2.2.1-2.2.2.4
Original packet and translated packet each have four possible destination addresses:
192.168.1.1 always maps to 2.2.2.1
192.168.1.2 always maps to 2.2.2.2
192.168.1.3 always maps to 2.2.2.3
192.168.1.4 always maps to 2.2.2.4
192.168.1.7
192.168.1.4
192.168.1.253
192.168.1.1
2.2.2.1
2.2.2.2
2.2.2.3
2.2.2.4
Original packet and translated packet each have four possible destination addresses:
192.168.1.7 always maps to 2.2.2.1
192.168.1.4 always maps to 2.2.2.2
192.168.1.253 always maps to 2.2.2.3
192.168.1.1 always maps to 2.2.2.4
192.168.1.1/30
2.2.2.1/30
Original packet and translated packet each have four possible destination addresses:
192.168.1.1 always maps to 2.2.2.1
192.168.1.2 always maps to 2.2.2.2
192.168.1.3 always maps to 2.2.2.3
192.168.1.4 always maps to 2.2.2.4
One common use of destination NAT is to configure several NAT rules that map a single public destination address to several private destination host addresses assigned to servers or services. In this case, the destination port numbers are used to identify the destination hosts. For example:
  • Port Forwarding
    —Can translate a public destination address and port number to a private destination address, but keeps the same port number.
  • Port Translation
    —Can translate a public destination address and port number to a private destination address and a different port number, thus keeping the real port number private. It is configured by entering a
    Translated Port
    on the
    Translated Packet
    tab in the NAT policy rule. See the Destination NAT with Port Translation Example.

Related Documentation