Configure Identity Auto NAT

Use static identity auto NAT rules to prevent the translation of an address. That is, to translate the address to itself.

Before you begin

Select Objects > Object Management and create the network objects or groups needed in the rule. Alternatively, you can create the objects while defining the NAT rule. The objects must meet the following requirements:

  • Original Source—This must be a network object (not a group), and it can be a host, range, or subnet.

  • Translated Source—A network object or group with the exact same contents as the original source object. You can use the same object.

Procedure

Step 1

Select Devices > NAT and create or edit the threat defense NAT policy.

Step 2

Do one of the following:

  • Click the Add Rule button to create a new rule.
  • Click Edit (edit icon) to edit an existing rule.

The right click menu also has options to cut, copy, paste, insert, and delete rules.

Step 3

Configure the basic rule options:

  • NAT Rule—Select Auto NAT Rule.
  • Type—Select Static.

Step 4

On Interface Objects, configure the following options:

  • Source Interface Objects, Destination Interface Objects(Required for bridge group member interfaces.) The interface objects (security zones or interface groups) that identify the interfaces where this NAT rule applies. Source is the object containing the real interface, the one through which the traffic enters the device. Destination is the object containing the mapped interface, the one through which traffic exits the device. By default, the rule applies to all interfaces (Any) except for bridge group member interfaces.

Step 5

On Translation, configure the following options:

  • Original Source—The network object that contains the addresses you are translating.
  • Translated Source—The same object as the original source. Optionally, you can select a different object that has the exact same contents.

Do not configure the Original Port and Translated Port options for identity NAT.

Step 6

(Optional.) On Advanced, select the desired options:

  • Translate DNS replies that match this rule—Do not configure this option for identity NAT.
  • IPv6—Do not configure this option for identity NAT.
  • Net to Net Mapping—Do not configure this option for identity NAT.
  • Do not proxy ARP on Destination InterfaceDisables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router. Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues.
  • Perform Route Lookup for Destination Interface If you select source and destination interfaces when selecting the same object for original and translated source address, you can select this option to have the system determine the destination interface based on the routing table rather than using the destination interface configured in the NAT rule.

Step 7

Click Save to add the rule.

Step 8

Click Save on the NAT page to save your changes.