Example of a combined source and destination translation NAT rule

In this example, hairpin NAT is configured.

Clients in the internal network ( contact the organization’s own public web server using the public IP address ( The server’s external address is translated to an internal address ( that belongs to the same internal network address space as the contacting clients. Source address translation is used to prevent the server replies to the client’s original IP address. Such replies would be routed directly within the local network instead of through the firewall, and the connections do not work without the reverse NAT that the firewall provides.

Figure: Example scenario

Table 1. Example NAT rule matching cells
Source Destination Service HTTP

Figure: Example NAT settings

The NAT settings on each tab are not any different than when you apply only source translation or only destination translation to matching connections. The key is that both definitions must be defined in the same NAT rule, because none of the other NAT rules are considered after the first match is found.
Tip: With element-based NAT, the same connection can separately match the source and destination NAT. Hairpin NAT is automatic.