6.7.5.1. Configuring NAT in Zorp

Before you start NAT configuration you must decide whether you need it at all. If you need traffic redirection, for example a Web server in your DMZ, routers may serve your needs. By default, Zorp uses its own IP address (bound to the corresponding adapter) to all connections leaving it in any direction, unless the Use client address as source router option is set, in which case the original client IP address is used. Consequently, NAT may not be absolutely necessary.

Note

Configuring SNAT Policy for a Service automatically enables the Use client address as source router function, so during SNAT the client's address is used, not the firewall's.

As opposed to network configurations without firewalls, where NAT is a universal setting for all clients communicating with any protocol, in Zorp, different traffic can be NATed differently because NAT configurations are linked to services. It can happen that while outgoing HTTP traffic is SNATed to a single public IP address, SQL traffic from the same network is not SNATed at all, and finally FTP download traffic is SNATed to a separate NAT pool.