Troubleshoot NAT that is applied when it should not be

Resolve problems when the Firewall translates an IP address to some other IP address even though it should not.

  For more details about the product and how to configure features, click Help or press F1.


  1. Check the order of the NAT rules.
    The Firewall reads the NAT rules from top to bottom. Only the first rule that matches is considered, so you can make exceptions to rules by placing a different, partially overlapping rule above. Leaving the NAT cell empty tells the Firewall that addresses in any connections that match the rule should not be translated.
  2. Check for other configurations that apply NAT.

    For VPN traffic, you can also enable and disable address translation for all traffic transmitted over a VPN in the properties of the VPN element. The default setting is to disable all address translation for tunneled VPN traffic. The setting affects only traffic wrapped inside the VPN tunnel, not the tunnel itself (the encrypted packets).

    In addition to NAT rules, NAT is also used in NetLink or Server Pool elements, and as a NAT pool defined for VPN clients in the Firewall element’s properties. There must not be overlapping NAT rules that match the same connections. For NetLinks, NAT rules are used to select traffic for balancing, and only the actual IP addresses used for the translation are defined in the NetLink elements. NAT is required for the operation of these features and you must exclude the connections in question from the scope of these features to disable NAT.