Different Translation Depending on the Destination (Dynamic Manual PAT)

The following figure shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.

Manual NAT with Different Destination Addresses

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device that protects the servers. In this example, we will assume the interface objects are security zones named inside and dmz. To configure interface objects, select Objects > Object Management, then select Interface.

Procedure

Step 1

Create a network object for the inside network.

  1. Choose Objects > Object Management.

  2. Select Network from the table of contents and click Add Network > Add Object.

  3. Name the network object (for example, myInsideNetwork), and enter the real network address, 10.1.2.0/24.

  4. Click Save.

Step 2

Create a network object for the DMZ network 1.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, DMZnetwork1) and enter the network address 209.165.201.0/27 (subnet mask of 255.255.255.224).

  3. Click Save.

Step 3

Create a network object for the PAT address for DMZ network 1.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, PATaddress1) and enter the host address 209.165.202.129.

  3. Click Save.

Step 4

Create a network object for the DMZ network 2.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, DMZnetwork2) and enter the network address 209.165.200.224/27 (subnet mask of 255.255.255.224).

  3. Click Save.

Step 5

Create a network object for the PAT address for DMZ network 2.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, PATaddress2) and enter the host address 209.165.202.130.

  3. Click Save.

Step 6

Configure dynamic manual PAT for DMZ network 1.

  1. Select Devices > NAT and create or edit the threat defense NAT policy.

  2. Click Add Rule.

  3. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Dynamic.

  4. On Interface Objects, configure the following:

    • Source Interface Objects = inside.

    • Destination Interface Objects = dmz.

  5. On Translation, configure the following:

    • Original Source = myInsideNetwork network object.

    • Translated Source > Address= PATaddress1 network object.

    • Original Destination > Address = DMZnetwork1 network object.

    • Translated Destination = DMZnetwork1 network object.

      Note

      Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the original and translated destination addresses. Leave all of the port fields blank.

  6. Click Save.

Step 7

Configure dynamic manual PAT for DMZ network 2.

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Dynamic.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = inside.

    • Destination Interface Objects = dmz.

  4. On Translation, configure the following:

    • Original Source = myInsideNetwork network object.

    • Translated Source > Address= PATaddress2 network object.

    • Original Destination > Address = DMZnetwork2 network object.

    • Translated Destination = DMZnetwork2 network object.

  5. Click Save.

Step 8

Click Save on the NAT rule page.