Enable Bi-Directional Address Translation for Your Public-Facing
Servers (Static Source NAT)
When your public-facing servers have private
IP addresses assigned on the network segment where they are physically
located, you need a source NAT rule to translate the source address
of the server to the external address upon egress. You create a
static NAT rule to translate the internal source address, 10.1.1.11,
to the external web server address, 203.0.113.11 in our example.
a public-facing server must be able to both send and receive packets.
You need a reciprocal policy that translates the public address
(the destination IP address in incoming packets from Internet users)
into the private address so that the firewall can route the packet
to your DMZ network. You create a bi-directional static NAT rule,
as described in the following procedure. Bi-directional translation
is an option for static NAT only.
Create an address object for the web server’s
internal IP address.
for the object.
and enter the IP address of the web server on the DMZ network, 10.1.1.11
in this example.
If you did not already create an address object for
the public address of your web server, you should create
that object now.
Create the NAT policy.
tab, enter a
for the NAT rule.
select the zone you created for your DMZ in the
select the zone) and the zone you created for the external network
address object you created for your internal web server address.
list in the
Source Address Translation
and then select the address object you created for your external
web server address from the