Filter
Top Products
96
SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
C
HAPTER
15:
Configuring NAT Policies
security appliance, or you can create your own entries. For many NAT Policies, this field is set to
Original, as the policy is only altering source or destination IP addresses.
• Inbound Interface: This drop-down menu setting is used to specify the entry interface of the
packet. When dealing with VPNs, this is usually set to Any, since VPN tunnels aren’t really
interfaces.
• Outbound Interface: This drop-down is used to specify the exit interface of the packet once the
NAT policy has been applied. This field is mainly used for specifying which WAN interface to apply
the translation to. Of all fields in NAT policy, this one has the most potential for confusion. When
dealing with VPNs, this is usually set to Any, since VPN tunnels aren’t really interfaces. Also, as
noted in the Quick Q&A’ section of this chapter, when creating inbound 1-2-1 NAT Policies where
the destination is being remapped from a public IP address to a private IP address, this field must
be set to Any.
• Comment: This field can be used to describe your NAT policy entry. The field has a 32-character
limit, and once saved, can be viewed in the main Network>NAT Policies page by running the
mouse over the text balloon next to the NAT policy entry. Your comment appears in a pop-up
window as long as the mouse is over the text balloon.
• Enable NAT Policy: By default, this box is checked, meaning the new NAT policy is activated the
moment it is saved. To create a NAT policy entry but not activate it immediately, uncheck this box.
• Create a reflective policy: When you check this box, a mirror outbound or inbound NAT policy for
the NAT policy you defined in the Add NAT Policy window is automatically created.
NAT Policies Q&A
Why is it necessary to specify ‘Any’ as the destination interface for inbound 1-2-
1 NAT policies?
It may seem counter-intuitive to do this, given that other types of NAT policies require you to specify
the destination interface, but for this type of NAT policy, this is what is necessary. The SonicWALL
security appliance uses this field during the NAT Policy lookup and validates it against the packet that
it receives, but if this is set to some internal interface such as X0, the lookup fails because at that
point, the SonicWALL security appliance does not know that the packet is going to X0. It’s not until
after the SonicWALL security appliance performs the NAT Policy lookup that it knows that the packet
is going to X0. At the precise time that the SonicWALL security appliance does the NAT Policy lookup,
the packet looks like it is going from X1 -> X1 (or whatever interface it is coming in on), since doing a
route lookup on the NAT Public address returns the Public interface.
Can I manually order the NAT Polices?
No, the SonicWALL security appliance automatically orders them, depending on the granularity of the
rule. This means that you can create NAT policy entries for the same objects, if each policy has more
granularity than the existing policy. For example, you can create a NAT policy to translate all LAN
systems to the WAN IP Address, then create a policy saying that a specific system on that LAN use a
different IP address, and additionally, create a policy saying that specific use another IP address
when using HTTP.
Can I have multiple NAT policies for the same objects?
Yes – please read the section above.
What are the NAT ‘System Polices’?
On the Network>NAT Policies page, notice a radio button labeled System Polices. If you choose
this radio button, the NAT Polices page displays all of the default, auto-created NAT policies for the
SonicWALL security appliance. These policies are default settings for the SonicWALL security