How NAT affects other firewall configurations

Translated IP addresses are used in routing, in VPN site definitions, and system communications.

After adding or editing NAT rules, you must consider how these areas of communications are affected and what changes are needed. If you are using Multi-Link, Outbound Multi-Links have their own NAT configurations that must not overlap with the NAT rules you define.

In particular, check that:

  • Access rules and Inspection rules use the addresses that are seen in the packets as they arrive on the firewall (as they are before any NAT operation is done).
  • Routing decisions are made after NAT, so the routing decision is made using the translated address. Make sure that the translated address is included in the Routing pane of the Engine Editor under the correct interface, unless the packets are forwarded to the default gateway.
  • If you translate addresses of communications going through VPN tunnels, the translated addresses must be included in the VPN site definitions.
Note: By default, NAT is disabled with connections traversing a VPN (NAT rules are completely ignored for VPN traffic). If you want the NAT rules to apply to connections traversing a VPN, enable NAT in the properties of the VPN element.