Configuring DNAT

This section describes how to configure DNAT.

Creating an IP Mapping Rule

To create an IP mapping rule, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Click New > IP Mapping.
4. In the IP Mapping Configuration dialog, specify a VR for IP mapping rule if needed. If you have already enabled the Multi-VR function and created different VRouters, you need to specify a VRouter for the rule. If the Multi-VR function is disabled, the default VRouter trust-vr will be used. For more information on configuring Multi-VR, see Configuring a VR.
5. Specify the HA group that the IP mapping rule belongs to. The default setting is 0.
6. Specify the destination IP address of traffic in Requirements. Select an address entry from the Dst address drop-down list or type the address into the Dst address box.
7. Specify translated destination IP address in Translated to. Select an address entry from the Dst address drop-down list or type the address into the Dst address box.
8. Click OK to save your settings.

Creating a Port Mapping Rule

To create a port mapping rule, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Click New > Port Mapping.
4. In the Port Mapping Configuration dialog, specify a VR for port mapping rule if needed. If you have already enabled the Multi-VR function and created different VRouters, you need to specify a VRouter for the rule. If the Multi-VR function is disabled, the default VRouter trust-vr will be used. For more information on configuring Multi-VR, see Configuring a VR.
5. Specify the HA group that the port mapping rule belongs to. The default setting is 0.
6. Specify the destination IP address of traffic in Requirements. Select an address entry from the Dst address drop-down list or type the address into the Dst address box.
7. Select the service you need from the Service drop-down list.
8. Specify translated destination IP address in Translated to. Select an address entry from the Dst address drop-down list or type the address into the Dst address box.
9. Type the port number into the Dst port box.
10. Click OK to save your settings.

Creating a DNAT Rule

To create a DNAT rule, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Click New > Advanced.
4. On the Basic tab, configure DNAT basic options.
   • VRouter: If you have already enabled the Multi-VR function and created different VRouters, you need to specify a VRouter for the DNAT rule. If the Multi-VR function is disabled, the default VRouter trust-vr will be used. For more information on configuring Multi-VR, see Configuring a VR.
   • Src address: Specifies the source IP address of the traffic, including:
     Address entry - Select an address entry from the drop-down list.
     IP address - Type an IP address into the IP address box.
   • Dst address: Specifies the destination IP address of the traffic, including:
     Address entry - Select an address entry from the drop-down list.
     IP address - Type an IP address into the IP address box.
   • Service: Select the service you need from the drop-down list.
   • Action: Specifies the action for the traffic you specified, including:
     NAT - Implements NAT for the eligible traffic.
     No NAT - Do not implement NAT for the eligible traffic.
   • Translated to: For the NAT option, you need to specify the translated IP address. Select an address entry from the Translated to drop-down list or type an IP address in the Translated to box.
     
   • NAT port: Select the Enable check box and type the translated port number into the Port box. The range is 1 to 65535.
   • Load balance: Select the Enable check box to enable the function. Then, traffic will be balanced to different Intranet servers.
     
5. On the Advanced tab, configure DNAT advanced options.
   • Ping track: Select the Enable check box to enable Ping track, which means the system will send Ping packets to check whether the Intranet servers are reachable.
   • TCP track: Select the Enable check box to enable TCP track, which means the system will send TCP packets to check whether the TCP ports of Intranet servers are reachable.
   • TCP port: Specifies the port number. The value range is 1 to 65535.
   • NAT log: Select the Enable check box to enable the log function for this DNAT rule (generating log information when there is traffic matching to this NAT rule).
   • HA group: Specifies the HA group that the DNAT rule belongs to. The default setting is 0.
   • Rule position: Specifies the position of the rule. Each DNAT rule has a unique ID. When traffic flowing into the security appliance, system will search DNAT rules by sequence, and then implement NAT on the destination IP of the traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of the rule matching. Select one of the following items from the drop-down list:
     Bottom - The rule is located at the bottom of all the rules in the DNAT rule list. By default, the system will put the newly-created DNAT rule at the bottom of all DNAT rules.
     Top - The rule is located at the top of all the rules in the DNAT rule list.
     Before ID - Type the ID number into the box. The rule will be located before the ID you specified.
     After ID - Type the ID number into the box. The rule will be located after the ID you specified.
   • ID: Specifies the method you get the rule ID. It can be automatically assigned by system or manually assigned by yourself. If you click Manually assign ID, you should type an ID number into the box behind.
6. Click OK to save your settings.

Editing a DNAT Rule

To edit a DNAT rule, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Select the rule you want to edit and click Edit.
4. In the DNAT Configuration dialog, modify according to your need.
5. Click OK to save your changes.

Deleting a DNAT Rule

To delete a DNAT rule, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Select the rule you want to delete and click Delete.

Adjusting Priority

Each DNAT rule has a unique ID. When traffic flowing into the security appliance, system will search DNAT rules by sequence, and then implement NAT on the destination IP of the traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of the rule matching.

To adjust priority, take the following steps:

1. On the Navigation pane, click Configure > Network > NAT to visit the SNAT page.
2. Click the DNAT tab to visit the DNAT page.
3. Select the rule you want to adjust its priority and click Priority.
4. In the Adjust Priority dialog, move the selected rule to:
   • Top: The rule is moved to the top of all the rules in the DNAT rule list.
   • Bottom: The rule is moved to the bottom of all the rules in the DNAT rule list. By default, the system will put the newly-created DNAT rule at the bottom of all DNAT rules.
   • Before ID: Specifies the ID number. The rule will be moved before the ID you specified.
   • After ID: Specifies the ID number. The rule will be moved after the ID you specified.
5. Click OK to save your settings.