Different Translation Depending on the Destination Address and Port (Dynamic Manual PAT)

The following figure shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port.

Manual NAT with Different Destination Ports

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device that protects the servers. In this example, we will assume the interface objects are security zones named inside and dmz. To configure interface objects, select Objects > Object Management, then select Interface.

Procedure

Step 1

Create a network object for the inside network.

  1. Choose Objects > Object Management.

  2. Select Network from the table of contents and click Add Network > Add Object.

  3. Name the network object (for example, myInsideNetwork) and enter the real network address, 10.1.2.0/24.

  4. Click Save.

Step 2

Create a network object for the Telnet/Web server.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, TelnetWebServer) and enter the host address 209.165.201.11.

  3. Click Save.

Step 3

Create a network object for the PAT address when using Telnet.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, PATaddress1) and enter the host address 209.165.202.129.

  3. Click Save.

Step 4

Create a network object for the PAT address when using HTTP.

  1. Click Add Network > Add Object.

  2. Name the network object (for example, PATaddress2) and enter the host address 209.165.202.130.

  3. Click Save.

Step 5

Configure dynamic manual PAT for Telnet access.

  1. Select Devices > NAT and create or edit the threat defense NAT policy.

  2. Click Add Rule.

  3. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Dynamic.

  4. On Interface Objects, configure the following:

    • Source Interface Objects = inside.

    • Destination Interface Objects = dmz.

  5. On Translation, configure the following:

    • Original Source = myInsideNetwork network object.

    • Translated Source > Address= PATaddress1 network object.

    • Original Destination > Address = TelnetWebServer network object.

    • Translated Destination = TelnetWebServer network object.

    • Original Destination Port = TELNET port object (system-defined).

    • Translated Destination Port = TELNET port object (system-defined).

      Note

      Because you do not want to translate the destination address or port, you need to configure identity NAT for them by specifying the same address for the original and translated destination addresses, and the same port for the original and translated port.

  6. Click Save.

Step 6

Configure dynamic manual PAT for web access.

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Manual NAT Rule.

    • Type = Dynamic.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = inside.

    • Destination Interface Objects = dmz.

  4. On Translation, configure the following:

    • Original Source = myInsideNetwork network object.

    • Translated Source > Address= PATaddress2 network object.

    • Original Destination > Address = TelnetWebServer network object.

    • Translated Destination = TelnetWebServer network object.

    • Original Destination Port = HTTP port object (system-defined).

    • Translated Destination Port = HTTP port object (system-defined).

  5. Click Save.

Step 7

Click Save on the NAT rule page.