Creating NAT Policies
Use the Network Address Translation (NAT) policy page to perform basic NAT configuration.
NAT is a form of network masquerading where you can hide devices between zones or interfaces. NAT modifies the IP addresses of the packets moving between the trust and untrust zones. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet.
Whenever a packet arrives at a NAT device, the device performs a translation on the IP address of the packet by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This process hides your internal IP addresses from the other networks and keeps your network secure.
Also, NAT permits you to use more internal IP addresses. Because these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This feature helps you conserve IP addresses.
Before You Begin
Read the NAT Overview topic.
Read the NAT Global Address Book Overview topic.
Review the NAT policies main page for an understanding of your current data set. See NAT Policies Main Page Fields descriptions.
To configure a NAT policy:
- Select Configure > NAT Policy > Policies.
- Click the plus sign (+) to create a new NAT policy.
- Complete the configuration according to the guidelines provided in Table 1.
- A new NAT policy is created. After you create an IPS policy, add rules in one or more rulebases to select that policy to be the active policy on your device, see Creating NAT Rules. You can also assign NAT policy to a domain; see Assigning Policies and Profiles to Domains.
Table 1: NAT Policy Settings
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters.
Enter a description for the NAT policy; maximum length is 255 characters.
Auto ARP Configuration
Select this option to respond to incoming Address Resolution Protocol (ARP) requests. ARP translates IPv4 addresses to MAC addresses.
Select the type of NAT policy you want to create:
Select the devices on which the group policy will be published. Select these devices from the Available column and move them to the Selected column.
You can also search for the devices in the search field available in both Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.
Note: During a device assignment for a group policy, only devices from the current and child domains (with view parent enabled) are listed. Devices in the child domain with view parent disabled are not listed.
Select the device on which the device policy will be published. During a device assignment for a device policy, only devices from the current domain are listed.
Select an option to place the newly created global policy either before the existing device policies or after the device policies. Once you select the policy placement for your global policy, you can choose the sequence number.
Policy Sequence No.
Click Select to reorder your NAT policy among the existing device policies.