1

2
3
NAT (Network Address Translation) is a protocol for IP address
translation in an IP packet header. When the IP packets pass through a
security appliance or router, the appliance or router will translate the source IP
address and/or the destination IP address in the IP packets. In practice, NAT
is mostly used to allow the private network to access the public network,
or vice versa.
NAT has the following advantages:
• Helps to solve the problem of IP address resources exhaustion by using a
small number of public IP addresses to represent the majority of the private
IP addresses.
• Hides the private network from external networks, for the purpose of
protecting private networks.

Typically private networks use private IP addresses. RFC1918 defines three

types of private IP addresses as follows:
• Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0 / 8)
• Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
• Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
IP addresses in the above three ranges will not be allocated on the Internet.

4
You can use those IP addresses in an enterprise network freely without
requesting them from an ISP or registration center. There are two types of NAT
rules, which are source NAT rules and destination NAT rules., thereby hiding
the internal IP addresses or sharing the limited public IP addresses.

4
NAT (Network Address Translation) is a protocol for IP address
translation in an IP packet header. When the IP packets pass through a
security appliance or router, the appliance or router will translate the source IP
address and/or the destination IP address in the IP packets. In practice, NAT
is mostly used to allow the private network to access the public network,
or vice versa.
NAT has the following advantages:
• Helps to solve the problem of IP address resources exhaustion by using a
small number of public IP addresses to represent the majority of the private
IP addresses.
• Hides the private network from external networks, for the purpose of
protecting private networks.
6
7
Normally, SNAT is from LAN to WAN （Intranet to Internet）
• It will change the source IP address of the packet
• It will allow multiple PCs to access the Internet at the same time
• It will hide the real IP address of LAN PCs

Firstly, let’s see how the source NAT process works:

Ø Take this picture as an example, Hillstone security appliance is placed between Private network and
Public network. Subnet for Private network is 192.168.1.0 which belongs to the Private IP addresses.
Public network is connected to ISP. PC 192.168.1.2 wants visit the Internet sever 9.6.7.3, Security
appliance will receive the IP packet sent by PC 192.168.1.2. The Source IP address is 192.168.1.2
and Destination IP address is 9.6.7.3. Source IP 192.168.1.2 needs to be translated to the Egress
public IP address 2.2.2.2, when sever 9.6.7.3 receives the packet, return packet will be sent back
based on the ISP route. (Static mode)
Ø Ports of Egress IP address are used to distinguish the different connections when Private network has
more PCs inside. This is the Dynamic port mode. Besides that, we also have Dynamic IP mode.
Ø What’s the difference of these modes?
• Static mode means one-to-one translation. This mode requires the translated address entry (trans-
to-address) contains the same number of IP addresses as that of the source address entry (src-
address).
• Dynamic IP mode means multiple-to-multiple translation. This mode translates the source
address to a specific IP address. Each source address will be mapped to a unique IP address, until
all specified addresses are occupied.
• Dynamic port mode: Multiple source addresses will be translated to one specified IP address
in an address entry. This mode is used when the public IP address is limited when accessing
the Internet. If Sticky is not enabled, the first address in the address entry will be firstly used; when
port resources of the first address are exhausted, the second address will be used. If Sticky is
enabled, all sessions from an source IP address will be mapped to a same fixed IP address.
As shown in this screenshot
• Source address: which is the private network IP address of Intranet.
• Destination address is the address we want to access. When we access to the Internet ,we hope
to arrive at all the public IP addresses, so destination address is selected as any
• Egress interface is the interface where packets are finally forwarded, normally we select the
interface that connected to ISP/Internet.
After finishing all these filtering conditions, we are going to configure the translation action. You can
translate the source address to be the Egress IP address, or a specified IP address. No NAT is also available
for choosing if we don’t want to translate the address.
Translated to:
1. Egress IF IP: translated to the public ip od device egress interface.
2. Specified IP: When you have multiple public IP addresses, such as 202.106.0.2; 202.106.0.3, and both
are used on Internet. You can specify the address entry. But do not use subnet address 202.106.0.0/24
because subnet also contains gateway address.

There are 3 translation mode can be selected: Static mode; Dynamic IP mode and Dynamic port mode.
Dynamic port: can achieve Internet access for multiple Intranet ip addresses by using only 1 or limited
public ip addresses. Normally for such scenario we use dynamic port NAT.

Track: when there are multiple public ip available, tracking the usability of public ip to avoid the translation
of no usable ip.

• You can also enable the Sticky function, if Sticky is enabled, all sessions from the same source IP
address will be mapped/translated to a fixed public IP address.
Special server: Mail server.
Static translation refers to converting the private IP address of the internal
network to a public IP address. The IP address pair is one-to-one and immutable.
A private IP address is only converted to a public IP address. With the help of
static conversion, the external network can access some specific devices (such as
servers) in the internal network, which cannot solve the problem of IP exhaustion.

10
All private IP addresses authorized to access the Internet can be randomly
converted to any specified legal IP address.
Dynamic conversion means that when the private IP address of the internal
network is converted to a public IP address, the corresponding IP address is
random, and all private IP addresses authorized to access the Internet can be
randomly converted to any specified legal IP address.
When the legitimate IP address provided by the ISP is slightly less than the
number of computers inside the network. Dynamic conversion can be used.

11
If Round-robin is enabled, all sessions from an IP
address will be mapped to the same fixed IP address.
If Sticky and Round-robin are not enabled, the first
address in the address entry will be used first; when the
port resources of the first address are exhausted, the
second address will be used.
If Track is enabled, the system will track whether the
translated public address is valid, i.e., use the translated
address as the source address to track if the destination
website or host is accessible. The configured track object
can be a Ping track object, HTTP track object, TCP track
object.

12
NAT rule should be configured under VRouter . Under global configuration
mode, use below command to enter Vrouter configuration mode:
ip vrouter vrouter-name
♦ vrouter-name – specify the name of VRouter

If configure NAT for default VR: trust-vr , you can use NAT mode as well. (under
global configuration mode, use command nat to enter NAT configuration mode)

When using dynamicport SNAT mode, you can enable the PAT port pool
function to expand the network address port resources after NAT. By default this
function is disabled. Use below command to enable this PAT function under
global configuration mode:
expanded-port-pool
Only some of Hillstone models support the expanded PAT port pool, and the
supported port resources also vary from different platforms.
The function is only applicable to the SNAT rules that have not been enabled
yet; if the SNAT rule is already enabled, reboot the system to make the function
take effect
14
Ø DNAT translates destination IP addresses in packet, usually translating IP
addresses of internal servers (such as the WWW server or SMTP server)
protected by the device to public IP addresses.
There are two types of DNAT mapping mode: Port mapping and IP mapping.
• Port mapping means one-to-multiple mapping. The different ports of
one specified Public IP address will be mapped to different ports of
different Private IP addresses. We can take this picture as an example,
there is only one public IP address, available, and we try to publish a
Mail server and a Web server as different LAN servers at the same time,
Port-based DNAT mapping should be used
• IP mapping means one-to-one mapping, there is no port translation needed.
We normally use this mode when we have enough Public IP addresses
DNAT configuration is normally used for Internet user to visit the internal server that
protected by Security appliance.
• We select the source address as Any to allow access from all the external users.
• The destination address is the Public IP address that all Internet users can visit, also
known as the mapping address of internal server.
• You need select the mapping service as well. For example, the HTTP service (Port
mapping-TCP 80 port). If the service is selected as Any, that means this DNAT is an IP
mapping.
• After that, select the action to be NAT and the translated to IP address which is the
server real IP address.

DNAT is supporting Load balance as well, if multiple internal servers with same service
are mapped to one Public IP address, traffic will be balanced to all these severs. For
example, both 10.1.1.2 and 10.1.1.3 is HTTP web server, we can configure:
202.100.0.2 translated to 10.1.1.2/32 and 10.1.1.3/32 in load balance for server.

The server load balancing algorithms supported by the system include: weighted
hash algorithm, weighted minimum number of connections algorithm and weighted
round robin algorithm. By default, weighted hashing algorithm is used weighted hash
weighted-hash-加权散列算法。
weighted-round-robin-加权轮询算法。
weighted-least-connection-加权最小连接数算法。
You can configure DNAT via CLI in the Vrouter configuration mode.
Under the global configuration mode, using the below command to VRouter
configuration mode:
ip vrouter vrouter-name

If you configure NAT for default VR (trust-vr), you can use the NAT mode to
configure (Under the global configuration mode, using command nat to nat
configuration mode)
22
In StoneOS, NAT also has its’ matching sequence, matching sequence for NAT
is same as Policy. (From Top to Bottom of the NAT list ).

• Each SNAT rule is labeled with a unique ID.

When traffic flowing into the Hillstone device,
the device will query for SNAT rules in the list
by turns, and then implement NAT on the
source IP of the traffic according to the first
matched rule. However, the rule ID is not
related to the matching sequence during the
query. The sequence displayed by the
command show snat/dnat is the query
sequence for matching.
24
You can also move a NAT rule to change the priority.
In the SNAT/DNAT Configuration dialog of WebUI, click Advanced. Now you can
change the Rule position
In CLI, use the following command……
After completing the NAT rule, we also need configure a NAT-related policy to
allow the traffic forwarding.
• For SANT, we need permit the traffic from Private network to Public network.
• For DNAT, Normally the source address is Any (all Internet users). Please be
noticed , The destination address is the mapping address of server, not the
real private address of server (you can remember as Public IP address the
server mapped)
• Open the HTTP service as we have done in DNAT configuration, and then
select the Permit action

After the destination NAT is completed, the corresponding access policy needs
to be created to realize the access to the publishing server.
The destination address of the policy needs to specify the virtual address
mapped by the server, usually the public IP address.
27
28
29
31