6.7.10.4. NAT and other policy objects

NAT in Application-level Gateway is an option to change source/destination IP address information in the server side of connections of the firewall, immediately before the connection is started. Since NAT decisions (if used) are made after all other IP address related configurations, such as router, proxy configuration, NAT can override these previous settings. NAT in Application-level Gateway can be used to shift IP address ranges, to set IP addresses and to customize these operations.

In a service definition there are potentially two different components that directly deal with IP address setting:

  • a router (compulsory),

  • and a NAT policy (or two) (optional).

In the address setting procedure the following processes are involved.

  1. Incoming connection is accepted and a new session is created.

  2. Destination address is set by the Router and using the Use client address as source option the source address of the server side connection is also set.

    Remember that the Router only gives a suggestion for the source/destination IP addresses as the proxy or the NAT can later override these suggestions.

  3. Router settings can be altered by the proxy if the Target address overrideable by the proxy option is set or InbandRouter is selected and the proxy has some protocol-based information.

  4. NAT is performed, depending on NAT types (SNAT/DNAT).

  5. Access control check is performed based on the final destination IP address decision. Check whether the service is allowed as an inbound service into the zone where the destination IP address belongs to.

  6. The connection to the server is established.

Note

When checking the inbound services of the zone, the IP address to which the firewall actually connects to is considered. In other words, the original destination address of the client may be overridden by the router, the proxy and DNAT as well. Zone access control uses only the final IP address, all interim addresses (set by the Router, Proxy, but not used as the final one) are ignored in the access control decision.

If a service uses an SNAT Policy, the Use client address as source is implicitly set as well so that SNAT uses the client IP address instead of the firewall IP address. That is, if the NAT policy does not include SNAT modification, the client's IP address is used even if the Use client address as source is unset in the router.

Tip

The versatility of NAT policies is especially useful in large-scale, enterprise deployments or where a lot of NAT is used.