Example: configuring NAT for static address translation

An example of configuring NAT for static address translation.

Company A has set up the firewall to translate the IP addresses of all communications between the internal and the external network dynamically. However, the company also has a mail server, which must be able to accept connections from external networks. For this, it must have a fixed translated IP address. The administrators:
  1. Create the Host element “Mail Server” to represent the mail server’s private IP address.
  2. Create the Host element “Mail Server NAT” to represent the mail server’s public IP address.
  3. Add two new NAT rules above the general dynamic translation rule.
    • In this case, new connections can be opened both from the mail server and from external hosts, so two rules are necessary.
  4. Change the newly added NAT rules as follows:
    Table 1. Static translation rules for opening connections both ways
    Source Destination Service NAT
    “Mail Server” Host element “NOT $ Local Protected Sites” Expression “SMTP” Service element Source: Static from Mail Server to Mail Server NAT
    “NOT $ Local Protected Sites” Expression “Mail Server NAT” Host “SMTP” Service element Destination: Static from Mail Server NAT to Mail Server
    • The first rule is for connections that the mail server opens to external hosts.
    • The second rule is for connections that external hosts open to the mail server.
    • Return address translation is done automatically, so if the connection would always be opened from one end, a single rule would suffice.
  5. Refresh the Firewall Policy.