SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
97
Network > NAT Policies
appliance to operate properly, and cannot be deleted. For this reason, they are listed in their own
section, in order to make the user-created NAT policies easier to browse. If you wish to see user-
created NAT policies along with the default NAT policies, simply check the radio button next to ‘All
Policies’.
Can I write NAT policies for VPN traffic?
Yes, this is possible if both sides of the VPN tunnel are SonicWALL security policies running SonicOS
Enhanced firmware. Please refer to the technote SonicOS Enhanced NAT VPN Overlap for
instructions on how to perform NAT on traffic entering and exiting VPN tunnels. Available at
http://www.sonicwall.com/services/documentation.html.
Why do I have to write two policies for 1-2-1 traffic?
With the new NAT engine, it’s necessary to write two policies – one to allow incoming requests to the
destination public IP address to reach the destination private IP address (uninitiated inbound), and
one to allow the source private IP address to be remapped to the source public IP address (initiated
outbound). It takes a bit more work, but it’s a lot more flexible.
Creating NAT Policies
NAT policies allows you the flexibility to control Network Address Translation based on matching
combinations of Source IP address, Destination IP address, and Destination Services. Policy-based
NAT allows you to deploy different types of NAT simultaneously.
For this chapter, the examples use the following IP addresses as examples to demonstrate the NAT
policy creation and activation. You can use these examples to create NAT policies for your network,
substituting your IP addresses for the examples shown here:
• 192.168.10.0/24 IP subnet on interface X0
• 67.115.118.64/27 IP subnet on interface X1
• 192.168.30.0/24 IP subnet on interface X3
•X0 LAN IP address is 192.168.10.1
•X1 WAN IP address is 67.115.118.68
•X3 ‘Sales’ IP address is 192.168.30.1
• Webserver’s “private” address at 192.168.30.200
• Webserver’s “public” address at 67.115.118.70
• Public IP range addresses of 67.115.118.71 – 67.115.118.74
Creating a Many-to-One NAT Policy
Many-to-One is the most common NAT policy on a SonicWALL security appliance, and allows you to
translate a group of addresses into a single address. Most of the time, this means that you’re taking
an internal “private” IP subnet and translating all outgoing requests into the IP address of the
SonicWALL security appliance WAN port, such that the destination sees the request as coming from
the IP address of the SonicWALL security appliance WAN port, and not from the internal private IP
address.
This policy is easy to set up and activate. From the Management Interface, go to the Network>NAT
Policies page and click on the Add button. The Add NAT Policy window is displayed for adding the
policy. To create a NAT policy to allow all systems on the X3 interface to initiate traffic using the
SonicWALL security appliance’s WAN IP address, choose the following from the drop-down boxes:
• Original Source: X3 Subnet