Static Destination NAT

Static destination NAT translates the destination IP address of the packet, and there is a fixed mapping between the pre-NAT and post-NAT addresses.

For the sake of security, extranets are generally not allowed to proactively access intranets. Occasionally, however, a method is expected to permit access from extranets. For example, a company intends to provide resources for customers and employees on business trips.

Figure 1 shows the mechanism of static destination NAT based on the NAT policy.

Figure 1 Mechanism of static destination NAT based on the NAT policy

As shown in Figure 1, when the host accesses the server, the FW performs as follows:

1. Upon receiving a packet destined for 1.1.1.10 from an Internet user, the FW searches for a matching NAT policy and then performs destination address translation on the packet.
2. The FW selects a private IP address to replace the destination IP address of the packet. You can select to use a new port number to replace the destination port number or keep the port number unchanged. In one-to-one mapping between public and private IP addresses, public IP addresses are mapped to destination IP addresses in the address pool in one-to-one mode in sequence. The FW obtains private IP addresses from the address pool in sequence to replace the destination IP addresses of packets.
3. After the packet is permitted according to the security policy, the FW establishes a session table and sends the packet to the intranet server.
4. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created in 3 is matched. Accordingly, the FW changes the IP address (192.168.1.2) of the Server to the destination address (1.1.1.10) of the original Host packet and then forwards the packet to the host.
5. When receiving subsequent packets sent from the host to the server, the FW directly translates their addresses according to session entries.

The NAT Server generates a server-map table, with server-map entries storing the mappings between pre-NAT and post-NAT addresses. Different from the NAT Server, NAT policy-based static destination NAT does not generate the server-map table. However, if the pre-NAT destination address does not change, the post-NAT destination address does not change either and there is still a fixed mapping between the pre-NAT and post-NAT destination addresses. The FW can determine whether to translate multiple addresses into the same destination address and whether to translate ports to meet the requirements of different scenarios. For details about NAT server configuration examples, see Configuration NAT Server.