Configuring a NAT Policy

This section describes how to configure a NAT policy.

Context

NAT works in either of the following modes:

Address pool mode: applies when intranet users share public addresses in an address pool. An address pool must be configured to limit the available IP address range.
Outbound interface address mode: also called easy IP, which applies when only the IP address of a WAN interface that connects the intranet to the Internet is available. This mode maps intranet host addresses to the public IP address of the FW WAN interface. This mode applies when the FW WAN interface dynamically obtains a public IP address.

Procedure

Choose Policy > NAT Policy > Source NAT > Source NAT.
In Source NAT Policy List, click Add.
If multiple NAT policies are created, the policies are matched top down. If the traffic matches a NAT policy, the remaining policies are ignored. Bidirectional and destination NAT policies have higher matching priorities than source NAT policies and are ranked in front of source NAT policies. Bidirectional and destination NAT policies are ranked according to their configuration sequence, so are source NAT policies. A newly added policy or policy with the NAT action modified is ranked at the end of NAT policies of its own type. You can adjust the matching sequence of NAT policies as required. However, you cannot bring a source NAT policy to be in front of a bidirectional or destination NAT policy.

Set the following parameters.

**Table 1** NAT parameters
Parameter	Description
Name	Name of a source NAT policy.
Description	Description of the source NAT policy.
Tag	The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.
NAT Type	NAT type: NAT NAT64 NAT66
NAT Mode	NAT mode: Source address translation. Destination address translation. Source and destination address translation. No translation.
Destination Address Translation Mode	You need to configure this item only when the NAT mode is Destination address translation or Source and destination address translation. One-to-one mapping between the public and private addresses in translation: applies to a scenario where a public address is used to access a private address or multiple public addresses are used to access multiple private addresses. One-to-one mapping between the public port and private address in translation: applies to a scenario where multiple ports of a public address are used to access multiple private addresses One-to-one mapping between the public and private ports in translation: applies to a scenario where multiple ports of a public address are used to access multiple ports of a private address One-to-one mapping between the public address and private port in translation: applies to a scenario where multiple public addresses are used to access multiple ports of a private address. Randomly translated to an address in the destination translation address pool: applies to a scenario where the destination address is not fixed after NAT. That is, the destination address is randomly translated to an address in the destination translation address pool.
Schedule	Select the period for the security policy to take effect. Add New Schedule: Click Add New Schedule. On the Add New Schedule page, set the period for the security policy to take effect. Name: indicates the time range name. Type: The value can be Periodic or One Time. Periodic indicates that the policy takes effect during a fixed time range every week. One Time indicates that the policy takes effect only within the specific time range. Start Time: indicates the start time of the time range. End Time: indicates the end time of the time range. Weekly Validity Time: indicates the time range during which the policy takes effect every week. This item is required if Type is set to Periodic. any: indicates that the policy takes effect in any time range. worktime: indicates that the policy takes effect only within the worktime. You can modify the worktime in Object > Schedule > Schedule List or by clicking worktime in Source NAT Policy List. If a session is created for a service when a policy is valid, the device forwards subsequent packets of the service based on the session even if the policy expires. If the time range is also referenced by another policy, the FW will age the existing session, and therefore the service is interrupted.
Original Data Packet
Source Zone	Name of a security zone to which intranet hosts belong. NOTE: If the matching conditions of the original data packet, including the source security zone, destination security zone/outbound interface, source address, and destination address, are all any, all traffic matches the policy, and NAT is implemented for all traffic. You are advised to configure a more accurate NAT policy.
Destination Type	Destination for traffic that is processed by NAT: Destination Zone: performs NAT on traffic that travels from a source security zone to a destination security zone. If Destination Zone is used, select a security zone from the drop-down list. Outbound Interface: performs NAT for traffic that travels from a source security zone to a WAN interface. If Outbound Interface is used, select an interface from the drop-down list. NOTE: Both parameters Destination Zone and Outbound Interface are used to specify the scope of the traffic that requires NAT. You can select either of them to specify the scope of the traffic that requires NAT based on the actual condition.
Source Address	Private IP addresses of intranet hosts. You can select or enter private IP addresses. If this parameter is specified, the FW only translates IP addresses for traffic with the specified source address. NOTE: To exclude an address or address group (source address or source addresses of traffic) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert , and then click OK.
Destination Address	Address, address group, or domain group. Enter or select the public IP address to be accessed by intranet hosts. After the configuration, the system performs NAT only on the traffic destined for this address. Create or select the domain group to be accessed by intranet hosts. After the configuration, the system performs NAT only on the traffic accessing this domain group. NOTE: To exclude an address or address group (destination address or destination addresses) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert , and then click OK. When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule.
Service	Name of a service or service group. The service or service group indicates the protocol type of the traffic. After you specify the service or service group, the FW translates the addresses only for traffic of the specified service or service group. NOTE: To exclude a service or service group (service or service group of traffic) from policy matching, select the service or service group from the available service area, select it in the selected service area and click Invert , and then click OK.
Translated Data Packet-NAT
Source Address Translated To	You need to configure this item only when the NAT mode is Source address translation or Source and destination address translation. Address translation mode: Address in the IP address pool: NAT translates private IP addresses into specified addresses in a NAT address pool. Outbound interface: NAT translates private IP addresses into a specified WAN interface address. The FW searches for a matching route to locate the WAN interface. NOTE: Only address pool-based source NAT can be configured on a FW in switched mode (also called transparent mode).
Source Translation Address Pool	You need to configure this item only when the NAT mode is Source address translation or Source and destination address translation. Source NAT address pool name. You can perform either of the following operations: Select a specified address pool. Click Add Address Pool to configure an address pool.
Destination Address Translation To	You need to configure this item only when the NAT mode is Destination address translation or Source and destination address translation. Destination NAT address or address pool name. You can perform either of the following operations: Select a specified address pool. Click Add Address Pool to configure an address pool.
Destination Port Translation Mode	You need to configure this item only when the NAT mode is Destination address translation or Source and destination address translation. There are two translation modes: No translation Translation
Destination Port Translated To	You need to configure this item only when the NAT mode is Destination address translation or Source and destination address translation. Translated port number.
Add Security Policy	The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Configuring a Security Policy Using the Web UI.
Translated Data Packet-NAT66
Source prefix Translation	You need to configure this item only when the NAT66 mode is Source address translation or Source and destination address translation. translation mode: NPTV6 Static NAT66
Source prefix Translated To	You need to configure this item only when the NAT66 mode is Source address translation or Source and destination address translation.
Destination prefix Translation	You need to configure this item only when the NAT66 mode is Destination address translation or Source and destination address translation. translation mode: NPTV6 Static NAT66
Destination prefix Translated To	You need to configure this item only when the NAT66 mode is Destination address translation or Source and destination address translation.
Destination Port Translation Mode	You need to configure this item only when the Static NAT66 mode is Destination address translation or Source and destination address translation. There are two translation modes: No translation Translation
Destination Port Translated To	You need to configure this item only when the Static NAT66 mode is Destination address translation or Source and destination address translation. Translated port number.
Add Security Policy	The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Configuring a Security Policy Using the Web UI.

Click OK.

Follow-up Procedure

Table 2 shows how to adjust a NAT policy.

**Table 2** NAT policy adjustment
Parameter	Description
Add	Adds a NAT policy.
Delete	Deletes a NAT policy.
Copy	Copies a NAT policy.
Move	Moves a NAT policy.
Insert	Inserts a NAT policy.
Reset All Statistics	Resets the NAT policy matching count.
Enable	Enables a NAT policy.
Disable	Disables a NAT policy.
Generate Security Policies	Generates security policies in batches based on NAT policies. By default, the name of a security policy generated in batches is the same as that of the corresponding NAT policy. The security policy name can be suffixed. For example, if the NAT policy name is abc, and _NAT is input, the name of the generated security policy is abc_NAT. You can click the security policy in Security Policies to Be Generated to view its configuration. To modify the security policy, refer to Configuring a Security Policy Using the Web UI.