Configure Policy-Based Dynamic NAT

In policy-based dynamic NAT, the Firebox maps private IP addresses to public IP addresses. Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless you previously disabled it.

For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties dialog box to make sure the policy is configured to allow traffic out through only one Firebox interface.

1-to-1 NAT rules have higher precedence than dynamic NAT rules. Policy-based dynamic NAT has higher precedence than network dynamic NAT.

In Fireware v12.2 or higher, you can specify the primary or secondary IP address of the loopback interface in the dynamic NAT settings for a policy. You might do this if you have a provider-independent block of IP addresses, and you want to use these addresses without binding them to a specific external interface. You can use provider-independent IP addresses for NAT and Firebox-generated traffic. Firebox-generated traffic is self-generated by the Firebox itself.

For more information about Firebox-generated traffic, go to About Policies for Firebox-Generated Traffic.

  1. Select Firewall > Firewall Policies.
    The Firewall Policies list appears.
  2. Select a policy.
  3. From the Action drop-down list select Edit Policy.
  4. Click the Advanced tab.

Screen shot of the Policy Configuration page - Advanced tab

  1. Select the Dynamic NAT check box.
  2. If you want to use the dynamic NAT rules set for the Firebox, select Use Network NAT Settings.
    This is the default setting.
  3. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.

If you select All traffic in this policy, the Firebox changes the source IP address for each packet handled by this policy to the primary IP address of the interface from which the packet is sent, or the source IP address configured in the network dynamic NAT settings. You can optionally set a different dynamic NAT source IP address for traffic handled by this policy.

To set the source IP address in the policy:

  1. Select the Set source IP check box.
  2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This source address must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic. In Fireware v12.2 or higher, you can specify a source address that is on the same subnet as the primary or secondary IP address of the loopback interface.

When you select a source IP address, any traffic that uses this policy shows the specified address from your public or external IP address range as the source. This is most often used to force outgoing SMTP traffic to show the MX record address for your domain when the IP address on the Firebox external interface is not the same as your MX record IP address.

We recommend that you do not use the Set source IP option if you have more than one external interface configured on your Firebox. If you use the Set source IP option in a policy, do not enable policy-based routing with failover in the policy settings.

For more information about dynamic NAT source IP addressing options, see About Dynamic NAT Source IP Addresses.

  1. Right-click a policy and select Modify Policy.
    The Edit Policy Properties dialog box appears.
  2. Click the Advanced tab.

Screen shot of the Edit Policy Properties dialog box - Advanced tab

  1. Select the Dynamic NAT check box.
  2. If you want to use the dynamic NAT rules set for the Firebox, select Use Network NAT Settings.
    This is the default setting.
  3. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.

If you select All traffic in this policy, the Firebox changes the source IP address for each packet handled by this policy to the primary IP address of the interface from which the packet is sent, or the source IP address configured in the network dynamic NAT settings. You can optionally set a different dynamic NAT source IP address for traffic handled by this policy.

To set the source IP address in the policy:

  1. Select the Set source IP check box.
  2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This source address must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic. In Fireware v12.2 or higher, you can specify a source address that is on the same subnet as the primary or secondary IP address of the loopback interface.

When you select a source IP address, any traffic that uses this policy shows the specified address from your public or external IP address range as the source. This is most often used to force outgoing SMTP traffic to show the MX record address for your domain when the IP address on the Firebox external interface is not the same as your MX record IP address.

We recommend that you do not use the Set source IP option if you have more than one external interface configured on your Firebox. If you use the Set source IP option in a policy, do not enable policy-based routing with failover in the policy settings.

For more information about dynamic NAT source IP addressing options, go to About Dynamic NAT Source IP Addresses.

Disable Policy-Based Dynamic NAT 

Dynamic NAT is enabled in the default configuration of each policy.

  1. Select Firewall > Firewall Policies.
    The Firewall Policies list appears.
  2. Select a policy.
    The Policies page appears.
  3. From the Action drop-down list select Edit Policy.
  4. Click the Advanced tab.
  5. To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.
  1. Right-click a policy and select Modify Policy.
    The Edit Policy Properties dialog box appears.
  2. Click the Advanced tab.
  3. To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.

Related Topics

About Dynamic NAT