Creating NAT Policy Rules

NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. After a rule set that matches the traffic is found, each rule in the rule set is evaluated for a match. NAT rules can match on the following packet information:

Source and destination address
Source port (for source and static NAT only)
Destination port

The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.

To create a new NAT rule, click the NAT policy name. The Single NAT Policy page appears, providing your with options to configure NAT rules. Alternately, you can click on the rule number listed under Rules against the policy, to create a new rule. You can configure the following types of NAT rules:

Static—To add a static NAT rule, click Add Static NAT Rule or click Create on the top right corner and select Static.
Source—To add a source NAT rule, click Add Source NAT Rule or click Create on the top right corner and select Source.
Destination—To add a destination NAT rule, click Add Destination NAT Rule or click Create on the top right corner and select Destination.

Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.

To create a NAT policy rule:

Select Configuration > NAT > NAT Policies.
The NAT Policies page appears, displayed the existing NAT policies.
Click the name of the NAT policy for which you want to create rules. Alternately, you can click on the number listed under Rules against a NAT policy.
The Single NAT Policy page appears.
Click Create and select either Source, Static, or Destination. The page displays fields for creating a NAT rule.
Complete the configuration according to the guidelines provided in Table 1.
Click OK to save the changes. If you want to discard your changes, click Cancel instead.

A NAT rule with the configuration you provided is created.

Table 1 provides guidelines on using the fields on the Single NAT Policy page.

Table 1: Fields on the Single NAT Policy Page for Creating NAT Rules
Field	Description
Source	Click the add icon (+) to select the source endpoints on which the NAT policy rule applies, from the displayed list of addresses, protocols, interfaces, routing instances, zones, or ports. The possible endpoints for source differ based on whether the NAT rule is a source, destination, or static NAT rule. The possible endpoints for source for a source NAT rule are: Addresses Routing instances, interfaces, or zones Protocols Ports VRF Groups The possible endpoints for source for a destination NAT rule are: Addresses Routing instances, interfaces, or zones Protocols VRF Groups The possible endpoints for source for a static NAT rule are: Addresses Routing instances, interfaces, or zones Ports VRF Groups You can also select a source endpoint by using the methods described in Selecting NAT Source.
Destination	Click the add icon (+) to select the destination endpoints on which the NAT policy rule applies, from the displayed list of addresses, interfaces, services, routing instances, zones, or ports. The possible endpoints for destination differ based on whether the NAT rule is a source, destination, or static NAT rule. The possible endpoints for destination for a source NAT rule are: Addresses Routing instances, interfaces, or zones Services Ports VRF Groups The possible endpoints for destination for a destination NAT rule are: Addresses Services Ports The possible endpoints for destination for a static NAT rule are: Addresses Ports You can select a destination endpoint by using the methods described in Selecting NAT Destination. Note: When you create a destination NAT rule for traffic arriving on an interface that terminates a VPN link, the translation process may break the VPN link. This will happen if the destination address in a destination NAT rule is specified only as the WAN-facing IP address of that interface. For example, in the following NAT rule, any traffic destined to Wan.IP will get translated to the destination pool and will break functionality of the VPN link packets terminating on this interface. `[Any.Address] --> [Wan.IP] :: [Dest-Pool-1]` Therefore, the recommendation in such cases is to use a destination NAT rule with destination field as `[Address + Port]`. For example: `[Any.Address] --> [Wan.IP + Port] :: [Dest-Pool-1]`
Translation
Translation Type	Specify the translation type for the incoming traffic. The translation options vary based on whether you are creating a source, static, or destination NAT rule. Chose one among the following translation types for a source NAT rule: None—No translation is required for the incoming traffic. Interface—Performs interface-based translations on the source or destination packet. Pool—Performs pool-based translations on the source or destination packet. Click on the add icon (+) in the Select Pool field to choose the translation pool. You can also create a new pool by clicking Add new pool. See Creating NAT Pools. Chose one among the following translation types for a static NAT rule: Address—Performs address-based translations on the source or destination packet. Click on the add icon (+) in the Select Address field to choose the translation address. You can also create a new address by clicking Add new address. See Creating Addresses or Address Groups. Note: In an SD-WAN environment, it is mandatory that you select the routing instance corresponding to the translation address. You can select the routing instance for a translation address using the Advanced Settings page. For more information on Advanced Settings, see Table 3. Corresponding IPv4—Uses the corresponding IPv4 address to perform translations on the source or destination packet. Chose one among the following translation types for a destination NAT rule: None—No translation is required for the incoming traffic. Pool—Performs pool-based translations on the source or destination packet. Click on the add icon (+) in the Select Pool field to choose the translation pool. You can also create a new pool by clicking Add new pool. See Creating NAT Pools. Note: In an SD-WAN environment, the destination NAT pool selected should be configured with a site and a routing instance corresponding to the pool address. For example, a webserver with IP address (IP1) is running in the HR department. To create a destination NAT pool corresponding to this webserver IP address, you must specify the following mandatory fields while creating the NAT pool: `Address - IP1` `Site - the site hosting the webserver` `Routing instance - natVR_HR`
Advanced Settings (Optional)	Click Configure to configure advance settings for a source or static NAT rule. For more information about advanced settings for the translation types Interface and Pool for a source NAT rule, see Table 2. For more information about advanced settings for the translation types Interface and Pool for a static NAT rule, see Table 3
Details
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters.
Description	Enter a description for the policy intent; maximum length is 1024 characters.
End Points	Create source and destination endpoints such as addresses and services. To create an address, click the add icon (+) and select Address. See Creating Addresses or Address Groups to configure the parameters of the address. To create a service, click the add icon (+) and select Service. See Creating Services and Service Groups to configure the parameters of the service. To edit the configured parameters of an address or service, hover over it and click on the edit icon (pencil symbol).

Table 2 provides guidelines on using the fields on the Advanced Settings page for a source NAT rule.

Table 2: Fields on the Advanced Settings Page for Source NAT Rule
Field	Description
Persistent	Enable the check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address. Note: For persistence to be applicable for the NAT policy, ensure that port overloading is turned off for the device to which the NAT policy is applicable. Use the following command to turn off port overloading for a device: [Edit mode] set security nat source interface port-overloading off
Persistent NAT Type	Configure persistent NAT mappings. Permit any remote host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. (The reflexive transport address is the public IP address and port created by the NAT device closest to the STUN server.) Any external host can send a packet to the internal host by sending the packet to the reflexive transport address. Permit target host—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address. Permit target host port—All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address and port.
Inactivity Timeout	The amount of time, in seconds, that the persistent NAT binding remains in the site’s memory when all the sessions of the binding entry have ended. When the configured timeout is reached, the binding is removed from memory. The value of the inactivity timeout can range from 60 through 7200 seconds. The default value of the inactivity timeout is 60 seconds.
Maximum Session Number	Maximum session number—The maximum number of sessions with which a persistent NAT binding can be associated. For example, if the maximum session number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule. The range is 8 through 65,536. The default is 30 sessions.
Address Mapping	Select an address from the available list.
Pool Address	Displays the NAT pool address.
Host Address Base	Displays the base address of the original source IP address range. The host address base is used for IP address shifting.
Port Translation	Displays whether port translation is enabled or disabled for this NAT rule.
Overflow Pool Type	Displays the source pool to be used when the current address pool is exhausted.
Overflow Pool Name	Displays the name of the overflow pool.
Mapped Port Type	Specify the type of port mapping: Port—Enter a value for Port, ranging from 0 through 65,535. Range—Enter the port range values in the Start and End fields, ranging from 0 through 65,535.

Table 3 provides guidelines on using the fields on the Advanced Settings page for a static NAT rule.

Table 3: Fields on the Advanced Settings Page for Static NAT Rule
Field	Description
Mapped Port Type	Specify the type of port mapping: Port—Enter a value for Port, ranging from 0 through 65,535. Range—Enter the port range values in the Start and End fields, ranging from 0 through 65,535.
Routing Instance	Select the routing instance for the static NAT rule.

Creating NAT Policy Rules

Related Documentation