Example of a combined source and destination translation NAT rule
In this example, hairpin NAT is configured.
Tip: With element-based NAT, the same connection can separately match the source and destination NAT. Hairpin NAT is automatic.
Clients in the internal network (192.168.1.0/24) contact the organization’s own public web server using the public IP address (203.0.113.140). The server’s external address is translated to an
internal address (192.168.1.201) that belongs to the same internal network address space as the contacting clients. Source address translation is used to prevent the server replies to the
client’s original IP address. Such replies would be routed directly within the local network instead of through the firewall, and the connections do not work without the reverse NAT that
the firewall provides.
Figure: Example scenario
Table 1. Example NAT rule matching cells
Source
Destination
Service
192.168.1.0/24
203.0.113.140
HTTP
Figure: Example NAT settings
The NAT settings on each tab are not any different than when you apply only source translation or only destination translation to matching connections. Both definitions must be
defined in the same NAT rule, because none of the other NAT rules are considered after the first match is found.
