Skip to main content
darth_kittycat
darth_kittycat
New Member
January 22, 2021
Question

Effect of "set nat enable" in a firewall policy

  • January 22, 2021
  • 2 replies
  • 5904 views

Hi,

 

In a simple policy to allow packets from a host on one internal private network to a host another internal private network, what is the effect of the directive "set nat enable" in the policy?

 

Thanks

 

M

    2 replies

    Markus
    Markus
    New Member
    January 22, 2021

    Hello, and welcome to the Forums. Simple spoken with Nat enabled, you see as source (on the destination, e.g. some logs) the firewall interface ip. With Nat disabled, you see the "real" source IP.

    lobstercreed
    lobstercreed
    New Member
    January 22, 2021

    As Markus said, and I will add an educated opinion:

    You should never enable NAT on a policy unless it is a policy that controls outbound access to your Internet connection.  So LAN -> WAN yes, but LAN -> LAN no, LAN -> DMZ no, and WAN -> LAN absolutely not.

     

    There are corner case exceptions, but by the time you need them you should have a better understanding of NAT to know exactly when/why/how.  (Mainly for certain VPN scenarios between organizations.)

    darth_kittycat
    darth_kittycatAuthor
    New Member
    January 22, 2021

    Thanks for the great answers. I suspected as much. Did some testing and yes...the packet arrives at the destination with the firewall egress interface IP as the source.

     

    Thanks again!

     

    M

    Terms & ConditionsAccessibility statement