About Dynamic NAT Source IP Addresses
In the default dynamic NAT configuration, the Firebox changes the source IP address for traffic that goes out an external interface to the primary IP address of the external interface the traffic leaves. You can optionally configure dynamic NAT to use a different source IP address. You can set the dynamic NAT source IP address in a network NAT rule or in the NAT settings for a policy. When you select a source IP address, dynamic NAT uses the specified source IP address for any traffic that matches the dynamic NAT rule or policy.
Whether you specify the source IP address in a network dynamic NAT rule or in a policy, it is important that the source IP address is on the same subnet as the primary or secondary IP address of the interface from which the traffic is sent. In Fireware v12.2 or higher, you can also specify IP addresses that are on the same subnet as the primary or secondary IP address of the loopback interface. It is also important to make sure that the traffic the rule applies to goes out through only one interface.
If the dynamic NAT source IP address is not on the same subnet as the primary or secondary IP address of the outgoing interface for that traffic, or the primary or secondary IP address of the loopback interface in Fireware v12.2 or higher, the Firebox does not change the source IP address for each packet to the source IP address specified in the dynamic NAT rule. Instead, it changes the source IP address to the primary IP address of the interface from which the packet is sent.
Set the Dynamic NAT Source IP Address in a Network Dynamic NAT Rule
If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any policies that apply to the traffic, add a network dynamic NAT rule that specifies the source IP address. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface the traffic leaves. In Fireware v12.2 or higher, you can also specify IP addresses that are on the same subnet as the primary or secondary IP address of the loopback interface.
If the To location in the network dynamic NAT rule specifies an alias, such as Any-External, that includes more than one interface, the source IP address is used only for traffic that leaves an interface that has an IP address on the same subnet as the source IP address.
For example, if:
- Your Firebox has two external interfaces, Eth0 (203.0.113.2), and Eth1 (192.0.2.2).
- You create a dynamic NAT rule for all traffic to Any-External.
- In the dynamic NAT rule, you set a source IP address of 203.0.113.80.
The result is:
- For traffic that leaves Eth0, the source IP address is the IP address in the dynamic NAT rule, 203.0.113.80.
- For traffic that leaves Eth1, the source IP address is the Eth1 interface IP address, 192.0.2.2.
For more information, go to Add Network Dynamic NAT Rules.
Set the Dynamic NAT Source IP Address in a Policy
If you want to set the source IP address for traffic handled by a specific policy, configure the source IP address in the network settings of the policy. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the policy. In Fireware v12.2 or higher, you can also specify IP addresses that are on the same subnet as the primary or secondary IP address of the loopback interface.
We recommend that you do not use the Set source IP option in a policy if you have more than one external interface configured on your Firebox. If you use the Set source IP option in a policy, do not enable SD-WAN or policy-based routing with failover in the policy settings.
For more information, go to Configure Policy-Based Dynamic NAT.