Translate destination addresses in packets

Destination translation is typically used to translate new incoming connections from a server’s public IP address to the server's private IP address.

You can also use destination translation to forward traffic to a proxy server.

Note: Destination translation can change the routing of packets and potentially cause packets that no longer match the Destination Zone of an Access rule to be discarded.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Double-click the NAT cell in the NAT rule.
  2. On the Destination Translation tab, select the translation type.
  3. Configure the options according to the selected translation type.
  4. Click OK.

Network Address Translation dialog box

Use this dialog box to define the settings for overwriting source and destination addresses in packets.

Option Definition
Source Translation tab
Translation Type

Defines the translation type.

  • None — Source addresses in matching connections are not translated. The packets are sent onwards with the source address intact.
  • Static — Source addresses in matching connections are translated using the same number of IP addresses as there are possible original source addresses. Each translated IP address corresponds to one original IP address.
  • Dynamic — Source addresses in matching connections are translated using a smaller pool of IP addresses than there are original source addresses included in the rule. Many hosts can use the same IP address, and the connections are distinguished by allocating a different TCP or UDP port for each connection.

    Also used for activating an Outbound Multi-Link configuration (IPv4 only).

    Because ports are needed to track connections, dynamic NAT only works with TCP and UDP protocols. If the protocol used in the communications is not transported on top of TCP or UDP, the communicating applications must encapsulate the packets in TCP or UDP (NAT traversal) to communicate through dynamic NAT.

IP Address Pool

(Dynamic only)

The IP address pool of IP addresses that are used for the translation. The minimum size for the pool is one IP address. The number of IP addresses required depends on how many ports you allow the address translation to use, and how many concurrent connections dynamic address translation handles at peak times. If the IP address/port pairs run out, new connections cannot be opened before existing connections are closed.

The IP addresses used for NAT must not be in use in the network, as this creates an IP address conflict. However, the engine’s own IP address (CVI on clusters) can be used for address translation if there are no free IP addresses available (make sure that your selected port range does not overlap with communications ports that the engine uses on this address).

IP Address(es)

(Static only)

Define the original and translated IP addresses.

  • Original — The IP addresses you want to change with this address translation. These are defined in the Source cell of the NAT rule and shown here for your reference only; it is not possible to change the Original addresses here.
  • Translated — The IP addresses you want the address translation to write in the packets. The Translated address space must have the same number of IP addresses as there are in the Original address space, since each original address has a fixed pair in the translated address space.

Click Select to select an element.

Address Allows manual entry of the IP address or (sub)network to use for the address translation.
First Port to Use

(Dynamic only)

The start of the port range for source IP address translation. The default is the beginning of the “free” high port range, 1024.
Last Port to Use

(Dynamic only)

The end of the port range for source IP address translation. The default is the highest possible port, 65535.
Automatic Proxy ARP (Recommended)

(IPv4 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks.

Automatic Proxy Neighbor Discovery

(IPv6 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

There is a limit to the number of addresses that the engine can proxy for neighbor discovery.

Option Definition
Destination Translation tab
Translation Type

Defines the translation type.

  • None — IP addresses are not translated. Packets are sent onwards with the original destination address.
  • Translate Destination — Translates destination IP addresses.
  • Forward to Proxy — Forwards traffic to a proxy server.
    Note: Not all protocols are supported. The supported protocols depend on the proxy server to which traffic is forwarded.
Option Definition
Destination Translation tab, Translate Destination selected
Translate Destination

(Optional)

When selected, enables options for translating destination IP addresses.
IP Addresses

Defines the original and translated IP addresses.

  • Original — The IP addresses you want to change with this address translation. These are defined in the Destination cell of the NAT rule and shown here for reference only; it is not possible to change the Original addresses here.
  • Translated — The IP addresses you want the address translation to write in the packets. The Translated address space must have the same number of IP addresses as there are in the Original address space, as each original address has a fixed pair in the translated address space.

Click Select to select an element.

Address Allows manual entry of the IP address or (sub)network to use for the address translation.
Automatic Proxy ARP (Recommended)

(IPv4 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks.

Automatic Proxy Neighbor Discovery

(IPv6 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

There is a limit to the number of addresses that the engine can proxy for neighbor discovery.

Translate Destination Port Select if you want to translate destination ports. If you do not select this option, ports are not translated, so packets are sent onwards with the destination port intact.
IP Ports
Define the original and translated IP ports.
  • Original — The ports you want to change with this address translation. These are defined in the Service element in the Service cell of the NAT rule and shown here for reference only; it is not possible to change the Original ports here.
  • Translated — The port or port range you want the address translation to write in the packets. If you enter a port range, it must have the same number of ports as there are in the Original ports, since each original port has a fixed pair in the translated address space (for example, 1–1023 could be translated to 50001–51023).
Option Definition
Destination Translation tab, Forward to Proxy selected
Proxy Server Specifies the proxy server to which traffic is forwarded. Click Select to select an element.