347
SonicOS 5.8.1 Administrator Guide
CHAPTER 23
Chapter 23: Configuring NAT Policies
Network > NAT Policies
This chapter contains the following sections:
• “NAT Policies Table” on page 348
• “NAT Policy Settings Explained” on page 349
• “NAT Policies Q&A” on page 351
The Network Address Translation (NAT) engine in SonicOS
Enhanced allows users to define
granular NAT polices for their incoming and outgoing traffic. By default, the SonicWALL security
appliance has a preconfigured NAT policy to allow all systems connected to the X0 interface to
perform Many-to-One NAT using the IP address of the X1 interface, and a policy to not perform
NAT when traffic crosses between the other interfaces. This chapter explains how to set up the
most common NAT policies.
Understanding how to use NAT policies starts with an the construction of an IP packet. Every
packet contains addressing information that allows the packet to get to its destination, and for
the destination to respond to the original requester. The packet contains (among other things)
the requester’s IP address, the protocol information of the requestor, and the destination’s IP
address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of
the packet and can dynamically rewrite the information in specified fields for incoming, as well
as outgoing traffic.
You can add up to 512 NAT Policies on a SonicWALL security appliance running SonicOS
Enhanced, and they can be as granular as you need. It is also possible to create multiple NAT
policies for the same object – for instance, you can specify that an internal server use one IP
address when accessing Telnet servers, and to use a totally different IP address for all other
protocols. Because the NAT engine in SonicOS Enhanced supports inbound port forwarding, it
is possible to hide multiple internal servers off the WAN IP address of the SonicWALL security
appliance. The more granular the NAT Policy, the more precedence it takes.