One-to-One NAT Overview
Overview
One-to-One Network Address Translation (NAT) is a newly available feature on the InstaGate product line. One-to-One NAT, also called Source NAT or SNAT on the InstaGate, modifies the source IP address of a packet to the IP specified in the web interface. This gives customers the ability to "map" outgoing Internet traffic to a specific WAN IP. When mapping traffic in this manner, customers have the option to limit what types of traffic are affected by the SNAT rules based on IPs and ports.
Configuration
SNAT can be configured by going to Firewall -> Firewall Policies in the web interface. On this page select Add, and under Action select Source NAT (SNAT) from the drop down menu. You will now see the configuration options for SNAT, which are divided into four sections. Private Source is where the traffic will be originating and Public Source specifies what IP address the Private Source traffic will appear to come from. The Destination and Services settings allow you to limit what destination addresses and ports/protocols are affected by this SNAT rule.
Example
Below is an example of how someone would configure SNAT to send SMTP traffic out from an internal mail server through a secondary WAN IP address. By default the InstaGate will always forward SMTP traffic out through the primary WAN interface.
Policy Information
Name - allows you to name the policy (eSoft recommends using a naming scheme that allows the administrator to easily identify the purpose of a policy)
Action - Source NAT (SNAT)
Private Source
Match - This setting allows you to specify whether packets matching the source IP address will be included or excluded in the firewall policy. In this example you would select "Include".
Address of Network - Use Object to select from a list of pre-defined values or Network to manually enter the address and subnet mask of the source host or network. In this example you would select the "Network" radio button, enter the IP address of the internal email server, and select a subnet mask of 255.255.255.255.
Public Source
Address - Use Object to select from a list of pre-defined values or IP Address to manually enter the address the traffic will appear to originate. In this example, you are utilizing a pre-configured secondary WAN IP so you would select "WANIP1" from the drop down list.
Destination
Match - This setting allows you to specify whether packets matching the destination IP address will be included or excluded in the firewall policy. In this example you would select "Include".
Address of Network - Use Object to select from a list of pre-defined values or Network to manually enter the address and subnet mask of the destination host or network. In this example you would select the "Object" radio button and "ANY" from the drop down list.
Services
Since we are only concerned with SMTP traffic, you would click the "Selected" radio button and check the box for "SMTP".
Once all of the settings are entered and apply is clicked, the InstaGate will write the policy and it will become active.
