Translation Properties for Manual NAT

Use the Translation options to define the source addresses and the mapped translated addresses. The following properties apply to manual NAT only. All are optional except as indicated.

Original Source (Always required.)

The network object or group that contains the addresses you are translating. This can be a network object or group, and it can contain a host, range, or subnet. If you want to translate all original source traffic, you can specify Any in the rule.

Translated Source (Usually required.)

The mapped addresses, the ones to which you are translating. What you select here depends on the type of translation rule you are defining.

  • Dynamic NAT—The network object or group that contains the mapped addresses. This can be a network object or group, but it cannot include a subnet. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. If a group contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.

  • Dynamic PAT—One of the following:

    • (Interface PAT.) To use the address of the destination interface, select Destination Interface IP. You must also select a specific destination interface object. To use the IPv6 address of the interface, you must also select the IPv6 option on Advanced. Do not configure a PAT pool.

    • To use a single address other than the destination interface address, select the host network object you created for this purpose. Do not configure a PAT pool.

    • To use a PAT pool, leave Translated Source empty. Select the PAT pool object on PAT Pool.

  • Static NAT—One of the following:

    • To use a set group of addresses, select Address and the network object or group that contains the mapped addresses. The object or group can contain hosts, ranges, or subnets. Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses.

    • (Static interface NAT with port translation.) To use the address of the destination interface, select Destination Interface IP. You must also select a specific destination interface object. To use the IPv6 address of the interface, you must also select the IPv6 option on the Advanced tab. This configures static interface NAT with port translation: the source address/port is translated to the interface's address and the same port number.

  • Identity NAT—The same object as the original source. Optionally, you can select a different object that has the exact same contents.

Original Destination

The network object or group that contains the addresses of the destinations. If you leave this blank, the source address translation applies regardless of destination. If you do specify the destination address, you can configure a static translation for that address or just use identity NAT for it.

You can select Source Interface IP to base the original destination on the source interface (which cannot be Any). If you select this option, you must also select a translated destination object. To implement a static interface NAT with port translation for the destination addresses, select this option and also select the appropriate port objects for the destination ports.

Translated Destination

The network object or group that contains the destination addresses used in the translated packet. If you selected an object for Original Destination, you can set up identity NAT (that is, no translation) by selecting the same object.

You can use a network object that specifies a fully-qualified domain name as the translated destination; for more information, see FQDN Destination Guidelines.

Original Source Port, Translated Source Port, Original Destination Port, Translated Destination Port

The port objects that define the source and destination services for the original and translated packets. You can translate the ports, or select the same object to make the rule sensitive to the service without translating the ports. Keep the following rules in mind when configuring services:

  • (Dynamic NAT or PAT.) You cannot do translation on the Original Source Port and Translated Source Port. You can do translation on the destination port only.

  • NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports.