Considerations for designing NAT rules

NAT rules are processed from the top down, and more specific rules must be placed above more general rules that match the same traffic.

The traffic is matched based on the Source, Destination, Service, and Used on cells. The Source and Destination addresses in the cells must be valid for the address translation operation (the Source cell for source address translation and the Destination cell for destination address translation). When the first matching rule is found, the NAT defined for the rule is applied and the rest of the NAT rules are ignored. All NAT operations for the same connection must be defined in the same NAT rule (if you want to apply both source and destination translation to a connection).

Note: NAT is applied after an Access rule has allowed the connection but before a routing decision is made. Make sure that the Access rules allow the connection with the original (before NAT) addresses. Make sure that the translated (after NAT) addresses are included under the correct interface in the Routing pane of the Engine Editor, if necessary.

If you use element-based NAT, the NAT rules generated from NAT definitions are applied only after the NAT rules that have been added manually to the policy. This means that the NAT rules that are generated from NAT definitions do not override the rules that you have manually added to the Firewall policy. Remember, however, that a more specific NAT rule can prevent traffic from matching the automatically generated NAT rules.