Configure Static Auto NAT

Step 1

Select Devices > NAT and create or edit the threat defense NAT policy.

Step 2

Do one of the following:

• Click the Add Rule button to create a new rule.
• Click Edit () to edit an existing rule.

Step 3

Configure the basic rule options:

• NAT Rule—Select Auto NAT Rule.
• Type—Select Static.

Step 4

On Interface Objects, configure the following options:

• Source Interface Objects, Destination Interface Objects—(Required for bridge group member interfaces.) The interface objects (security zones or interface groups) that identify the interfaces where this NAT rule applies. Source is the object containing the real interface, the one through which the traffic enters the device. Destination is the object containing the mapped interface, the one through which traffic exits the device. By default, the rule applies to all interfaces (Any) except for bridge group member interfaces.

Step 5

On Translation, configure the following options:

• Original Source—The network object that contains the addresses you are translating.
• Translated Source—One of the following:

  • To use a set group of addresses, select Address and the network object or group that contains the mapped addresses. Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses.

  • (Static interface NAT with port translation.) To use the address of the destination interface, select Destination Interface IP. You must also select a specific destination interface object. To use the IPv6 address of the interface, you must also select the IPv6 option on Advanced. This configures static interface NAT with port translation: the source address/port is translated to the interface's address and the same port number.

• (Optional.) Original Port, Translated Port—If you need to translate a TCP or UDP port, select the protocol in Original Port, and type the original and translated port numbers. For example, you can translate TCP/80 to 8080 if necessary.

Step 6

(Optional.) On Advanced, select the desired options:

• Translate DNS replies that match this rule—Whether to translate the IP address in DNS replies. For DNS replies traversing from a mapped interface to a real interface, the Address (the IPv4 A or IPv6 AAAA) record is rewritten from the mapped value to the real value. Conversely, for DNS replies traversing from a real interface to a mapped interface, the record is rewritten from the real value to the mapped value. This option is used in specific circumstances, and is sometimes needed for NAT64/46 translation, where the rewrite also converts between A and AAAA records. For more information, see Rewriting DNS Queries and Responses Using NAT. This option is not available if you are doing port translation.
• IPv6—Whether to use the IPv6 address of the destination interface for interface PAT.
• Net to Net Mapping—For NAT 46, select this option to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this option.
• Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router. Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues.

Step 7

Click Save to add the rule.

Step 8

Click Save on the NAT page to save your changes.