Chapter 9 – NAT

HCSA-NGFW 2022
 1 Basic Concept of NAT
Contents
2 Source NAT

3 Destination NAT

4 Advanced NAT Setting

5
Basic Concept of NAT
Why We Need NAT？
• NAT Background:
– IPv4 exhaustion
– IPv4 extending technologies introduced, the efficient use of NAT
– The popularity of IPv6 technology is not high

• RFC1918 defines three types of private IP addresses as follows. These IP addresses

will not be allocated on the Internet. You can use the IP addresses in an enterprise
network freely.
– Class A: 10.0.0.0 - 10.255.255.255（10.0.0.0/8）
– Class B: 172.16.0.0 - 172.31.255.255（172.16.0.0/12）
– Class C: 192.168.0.0 - 192.168.255.25（192.168.0.0/16）

• The private network cannot transmit on the Internet.

www.hillstonenet.com
NAT Concept
• NAT (Network Address Translation) is a protocol to translate the IP address within an IP
packet header to another IP address. When the IP packets pass through a security appliance
or router, the appliance or router will translate the source IP address and/or the destination IP
address in the IP packets. In practice, NAT is mostly used to allow the private network to
access the public network, or vice versa.
SNAT IP packet1
IP packet1
S-IP：200.1.1.1
S-IP：192.168.10.10
D-IP：200.200.200.200
D-IP：200.200.200.200

Ethernet0/1 Ethernet0/4
trust untrust
IP:192.168.10.254 IP:200.1.1.1
Internet

PC
Server
IP：192.168.10.10
IP packet2 IP：200.200.200.200
S-IP：192.168.10.10
D-IP:200.200.200.200
IP packet2 IP packet2
S-IP：192.168.10.10
DNAT
S-IP： 200.200.200.200
D-IP:192.168.10.10 D-IP：200.1.1.1
www.hillstonenet.com
NAT Classification

static
Source NAT（SNAT） dynamic-ip
dynamic-port

Port mapping
Destination NAT（DNAT）
IP mapping

Bidirectional NAT（BNAT） Source & Destination IP

Can we just use IP address translation?

Why port translation method is also needed?
www.hillstonenet.com
Source NAT
Translation Process (Source NAT)
SNAT translates source IP addresses, thereby hiding the internal IP
addresses or sharing the limited IP addresses

trust untrust
3 4
SA DA

Internet
192.168.10.10 200.1.1.1 9.6.7.3

1
SA 2 Host B
192.168.10.254 9.6.7.3
192.168.10.11

SA DA SNAT SA DA

192.168.10.10:1025 9.6.7.3 200.1.1.1:1025 9.6.7.3

www.hillstonenet.com
Configure SNAT (WebUI)
Policy > NAT > SNAT, and click New.

SNAT supports：
- Static NAT (static-ip)
- Dynamic NAT (dynamic-ip)
- Dynamic port (dynamic-port)

www.hillstonenet.com
SNAT - Static NAT
• Static - Static mode means one-to-one translation. This mode requires the translated address entry
to contain the same number of IP addresses as that of the source address entry.

10 www.hillstonenet.com
 SNAT – Dynamic IP
• Dynamic IP - Dynamic IP mode means multiple-to-one translation. This mode translates the source address to a specific IP
address. Each source address will be mapped to a unique IP address, until all specified addresses are occupied.

11 www.hillstonenet.com
SNAT – Dynamic Port
• Dynamic port - Called PAT.
Multiple source addresses will
be translated to one specified IP
address in an address entry.

• Sticky: If Sticky is enabled, all

sessions from an IP address will
be mapped to the same fixed IP
address

12 www.hillstonenet.com
Configure SNAT (CLI)
• To configure SNAT ,in the Vrouter/NAT configuration mode, use the following
command:
snatrule [id id] [before id | after id | top] from src-address to dst-address [eif egress-
interface] trans-to {addressbook trans-to-address | eif-ip} mode {static | dynamicip |
dynamicport [sticky]} [log] [disable] [ track track-name] [description description]

• id id - Specifies the ID of the SNAT rule.

• before id | after id | top - Specifies the position of the rule.
• from src-address to dst-address [eif egress-interface] - Specifies conditions of the rule that
the traffic should be matched.
• eif egress-interface - Specifies the egress interface
• addressbook trans-to-address | eif-ip - Specifies the translated IP address.
• mode {static | dynamicip | dynamicport [sticky]} - Specifies the translation mode.

• Check SNAT configuration and resource utilization

show snat [id id] [resource] [vrouter vrouter-name]

www.hillstonenet.com
Destination NAT
Destination NAT
DNAT translates destination IP addresses, and usually the IP addresses of internal servers (such as the WWW
server or SMTP server) protected by the device is translated to public IP addresses.

trust untrust
2 1
DA SA
192.168.10.10 200.1.1.1 9.6.7.3
HTTP Internet
4 DA 80
192.168.1.254 3 Host B
HTTP 9.6.7.3
80
192.168.10.11

SA DA DNAT SA DA

9.6.7.3 200.1.1.1:80 9.6.7.3 192.168.10.10:80

www.hillstonenet.com
Configure DNAT (WebUI)
Policy > NAT > DNAT, click New and select from dropdown list
DNAT translation type:
- Port mapping
- IP mapping

www.hillstonenet.com
DNAT – IP Mapping
• IP mapping: this mode is one-to-one mapping. It is usually used for the external publish of
the server when the public network IP is sufficient.

www.hillstonenet.com
DNAT – Port Mapping
• Port mapping: this mode is one to multiple mapping, which maps different ports of an public IP to different
ports of different IP on the intranet, so as to meet the needs of multiple servers to publish when the public IP is
limited.

www.hillstonenet.com
DNAT – Advanced Settings

www.hillstonenet.com
DNAT - SLB
• DNAT supports SLB；192.168.10.10 and 192.168.10.11 is in same server pool

www.hillstonenet.com
Configure DNAT (CLI)
• To configure a DNAT rule for NAT, in the VRouter configuration mode,
use the following command:
dnatrule [id id] [before id | after id | top] from src-address to dst-address [service service-
name] trans-to trans-to-address [port port] [load-balance] [track-tcp port] [track-ping]
[log] [group group-id] [disable] [description description]

• Check DNAT configuration:

show dnat rule [id] [vrouter vrouter-name]

www.hillstonenet.com
 Advanced NAT Setting

22
NAT Rule
• There are two types of NAT rules, which are source NAT rules and destination
NAT rules. SNAT translates source IP addresses; DNAT translates destination
IP addresses. If there are multiple NAT rules in the system, you can move a
rule as needed.

• Matching sequence of NAT rules:

Each SNAT rule is labeled with a unique ID. When traffic flowing into the Hillstone device,
the device will query for SNAT rules in the list by turns, and then implement NAT on the
source IP of the traffic according to the first matched rule. However, the rule ID is not
related to the matching sequence during the query. The sequence displayed by the
command show snat/dnat is the query sequence for the matching. You can move an
SNAT rule to modify the matching sequence.

• Note: When configuring firewall policy, the source and destination addresses
in policy should be the address before NAT translation.

www.hillstonenet.com
NAT Hit Count
System Admin is able to check the hit count of new added nat rule to verify if
nat policy is working or not

www.hillstonenet.com
Moving a NAT Rule
• To move a NAT rule via WebUI, in the SNAT/DNAT Configuration dialog, select the nat rule
and click Priority.

• To move a NAT rule, in the NAT configuration mode, use the following commands:
- snatrule move id {before id | after id| top | bottom}
- dnatrule move id {before id | after id| top | bottom}

• To delete a NAT rule, in the NAT configuration mode, use the following commands:
- no snatrule id id
- no dnatrule id id
www.hillstonenet.com
Configure a DNAT-related Policy
• Policy > Security Policy, and click New.

www.hillstonenet.com
Bidirectional NAT（BNAT)
BNAT can be seen as a combination of DNAT and SNAT, which uses just one rule to achieve both source and
destination translation.

In the packet processing flow, BNAT has precedence over DNAT. When a packet mataches a BNAT rule, it follows
the destination translation and source transaltion defined in that BNAT rule. It will not check for other regular NAT
rules. After it finishes BNAT mapping, it will start to match polic.

To create a BNAT rule, under VRouter configuration mode, use the command below:
• bnatrule [id id ] [before id | after id | top] [ interface interface-name ] virtual {ip {A.B.C.D/M| X:X:X:X:X::X/M }
| address-book address-name } real {ip {A.B.C.D | A.B.C.D/M | X:X:X:X:X::X/M } | address-book address-
name } [group group-id ] [description description]

www.hillstonenet.com
Questions
1. Which type of NAT does an Intranet user typically use to access
Internet？
2. When it requires port-based DNAT instead of IP-based DNAT？
3. How to configure the destination IP address in the policy rule for the
server that is published to Internet?

www.hillstonenet.com
 LAB
E0/2
E0/1 FW1 L3-untrust
L3-trust 192.168.13.1/24
192.168,1.254/24 SNAT: 192.168.13.2
E0/2 E0/1
E0/3 L3-untrust L3-trust
PC1 L3-untrust 192.168.13.3/24 192.168.2.254/24
182.168.12.1/24 DNAT: 192.168.2.2
192.168.1.1

E0/1 E0/2
L3-untrust E0/3 FW3
L3-trust PC2
182.168.12.2/24 192.168.23.2/24 L3-untrust 192.168.2.21/24
192.168.23.3/24
X
FW2

• PC1 can ping PC2, SNAT

• PC2 can RDP access PC1, DNAT
• Log verify

www.hillstonenet.com
Thanks