NAT Environments

Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for Cloud-Delivered Firewall Management Center communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.

Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the Cloud-Delivered Firewall Management Center specifies the device IP address when you add a device, and the device specifies the Cloud-Delivered Firewall Management Center IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The Cloud-Delivered Firewall Management Center and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.

For example, you add a device to the Cloud-Delivered Firewall Management Center, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the Cloud-Delivered Firewall Management Center; leave the IP address blank. On the device, you specify the Cloud-Delivered Firewall Management Center IP address, the same NAT ID, and the same registration key. The device registers to the Cloud-Delivered Firewall Management Center's IP address. At this point, the Cloud-Delivered Firewall Management Center uses the NAT ID instead of IP address to authenticate the device.

Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many devices to the Cloud-Delivered Firewall Management Center. On the Cloud-Delivered Firewall Management Center, specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the Cloud-Delivered Firewall Management Center IP address and the NAT ID. Note: The NAT ID must be unique per device.

The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both the Cloud-Delivered Firewall Management Center and the devices, and specify the Cloud-Delivered Firewall Management Center IP address on the devices.

NAT ID for Managed Devices Behind PAT
NAT ID for Managed Devices Behind PAT

The following example shows the Cloud-Delivered Firewall Management Center behind a PAT IP address. In this case, specify a unique NAT ID per device on both the Cloud-Delivered Firewall Management Center and the devices, and specify the device IP addresses on the Cloud-Delivered Firewall Management Center.

NAT ID for Cloud-Delivered Firewall Management Center Behind PAT
NAT ID for Cloud-Delivered Firewall Management Center Behind PAT