Skip to main content

Configuring Network Address Translation (NAT)

  • NAT rules can be configured on a site and applied to a VPN.
  • NAT is available on EC-M, L and XL without sync link. On EC-XL with sync link, NAT is not available.
  • NAT is available as static 1:1 NAT, where one IP address is translated to another IP address or dynamic NAT, where many IP addresses are translated to one or a pool of IP addresses, also by using port address translation (PAT).

Configuring Source NAT (SNAT)

Source NAT can either be configured as a One-to-One, Many-to-One or Many-to-Many NAT. With source NAT, the source IP address of a packet is replaced with an IP address from the NAT pool. Additionally, the source port is replaced with a dynamic port selected by the CPE, also known as port address translation (PAT).

  1. Under Location > NAT, select "Dynamic source NAT" as NAT Type
  2. Click (+) to add a new NAT rule
  3. Select the VPN where the NAT rule will be applied
  4. Enter the start IP address and end IP address of the NAT pool. If only one IP should be used in the NAT pool, the start and end IP addresses can be the same.
  5. Add match criterias to define the traffic for that a NAT will be performed on:
    1. Add source address: Packets from these source addresses will be translated
    2. Add destination address: Packets to these destination addresses will be translated
    3. (Optional) Exclude source address: Packets from these source addresses will be excluded from translation
    4. (Optional) Exclude destination address: Packets to these destination addresses will be excluded from translation
  6. Save entries
note

For EC-XL without sync link: The NAT rules are created on both CPEs automatically.

Configuring Destination NAT (DNAT)

With destination NAT, the destination IP address of a packet (external address) is replaced with the internal address in a 1:1 fashion. It is also possible to perform destination NAT on a whole subnet.

The destination NAT rule must always be applied on the location of the destination service. Destination NAT will be performed for incoming traffic entering the LAN. Applying a destination NAT rule on outgoing traffic leaving the LAN (e.g. to redirect traffic going to a specific destination IP address) is not supported.

  1. Under Location > NAT, select "Static NAT" as NAT Type
  2. Click (+) to add a new NAT rule
  3. Select the VPN where the NAT rule will be applied
  4. Enter the internal IP address or network address
  5. Enter the external IP address or network address
  6. Enter the subnet mask in CIDR notation. 1:1 destination NAT will be performed for every host inside the subnet.
  7. Select the direction in which the NAT rule should apply. For explanation of Bi-directional NAT, see the infobox below.
  8. Save entries
info

Bi-directional NAT When configuring static NAT, Bi-directional NAT can be enabled. Bi-directional NAT translates both source and destination information in packets. It is a combination of source NAT and destination NAT that applies to the same flow. When receiving a packet, the device translates both its source and destination addresses.