Effect of "set nat enable" in a firewall policy

darth_kittycat · ‎01-22-2021

Hi,

In a simple policy to allow packets from a host on one internal private network to a host another internal private network, what is the effect of the directive "set nat enable" in the policy?

Thanks

M

Markus · ‎01-22-2021

Hello, and welcome to the Forums. Simple spoken with Nat enabled, you see as source (on the destination, e.g. some logs) the firewall interface ip. With Nat disabled, you see the "real" source IP.

________________________________________________________
--- NSE 4 ---
________________________________________________________

lobstercreed · ‎01-22-2021

As Markus said, and I will add an educated opinion:

You should never enable NAT on a policy unless it is a policy that controls outbound access to your Internet connection. So LAN -> WAN yes, but LAN -> LAN no, LAN -> DMZ no, and WAN -> LAN absolutely not.

There are corner case exceptions, but by the time you need them you should have a better understanding of NAT to know exactly when/why/how. (Mainly for certain VPN scenarios between organizations.)

darth_kittycat · ‎01-22-2021

Thanks for the great answers. I suspected as much. Did some testing and yes...the packet arrives at the destination with the firewall egress interface IP as the source.

Thanks again!

M

Effect of "set nat enable" in a firewall policy

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website