Using service-based NAT

Using service-based NAT

Using service-based NAT, you can set outgoing dynamic NAT policy on a service-by- service basis. Service-based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry.

For example, use service-based NAT on a network with simple NAT enabled from the Trusted to the Optional network with a Web server on the Optional network that should not be masqueraded to the actual Trusted network. Add a service icon allowing Web access from the Trusted to the Optional Web server, and disable NAT. In this configuration, all Web access from the trusted network to the optional Web server is made with the true source IP, and all other traffic from Trusted to Optional is masqueraded.

You can also use service-based NAT in lieu of simple dynamic NAT. Rather than applying NAT rules globally to all outgoing packets, you can start from the premise that no masquerading takes place and then selectively masquerade a few individual services.

Enabling service-based NAT

Service-based NAT is not dependent on enabling simple dynamic NAT. From Policy Manager:

1Select Setup => NAT. Click Advanced.

2Enable the Enable Service-Based NAT checkbox.

3Click OK to close the Advanced NAT dialog box. Click OK to close the Dynamic NAT dialog box.

Configuring service-based NAT exceptions

By default, services take on whatever dynamic NAT properties you have set for simple NAT. However, you can override this setting in the service’s Properties dialog box. There are three options:

Use Default (Simple NAT) Service-based NAT is not enabled for the service. The service will use the simple dynamic NAT rules configured in the Dynamic NAT Entries list (see “Adding dynamic NAT entries” on page 64).

Disable NAT – Disables dynamic NAT for outgoing packets using this service. Use this setting to create service-by-service exceptions to outgoing NAT.

Enable NAT – Enables service-based NAT for outgoing packets using this service regardless of how the simple dynamic NAT settings are configured.

From Policy Manager:

1Double-click the service icon. Click Outgoing.

If either simple dynamic NAT or service-based NAT is already enabled, an entry appears at the bottom of the Outgoing tab.

2Use the Choose Dynamic NAT Setup drop list to select either the default, disable, or enable setting.

3Click OK.

User Guide

65

Page 74 Page 76
Page 75
Image 75
WatchGuard Technologies FireboxTM System 4.6 manual Using service-based NAT, Enabling service-based NAT
Page 74 Page 76
Top Page Image Contents