Troubleshoot NAT that is not applied correctly

Resolve problems when NAT is not applied at all or is applied incorrectly.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Make sure that any connection that you want to NAT is allowed by an Access rule that has Connection Tracking enabled.
  2. If the target of the translation is traffic that is entering or exiting a VPN tunnel, enable address translation for traffic transmitted over that VPN in the properties of the VPN element.
    The default setting is to disable all address translation for tunneled VPN traffic. The setting affects only traffic inside the VPN tunnel, not the tunnel itself (the encrypted packets).
  3. If traffic is not translated at all or the wrong translation is applied, check the NAT rules:
    1. Search the rules using the original (before translation) source and destination addresses and check if the traffic matches the wrong NAT rule higher up in the rule table. Only the first matching rule is considered. Note that NAT rules with an empty NAT cell are valid and specify that addresses are not translated for matching traffic.
    2. In addition to NAT rules, NAT is also used in NetLink or Server Pool elements, and as a NAT pool defined for VPN clients in the Firewall element’s properties. There must not be overlapping NAT rules that match the same connections.
    3. NAT rules are automatically generated from NAT definitions that are added to an element’s properties. The NAT rules that are generated from NAT definitions do not override the rules that have been manually added to the Firewall policy. However, a more specific manually created NAT rule can prevent traffic from matching automatically generated NAT rules.