Using service-based nat – WatchGuard Technologies FireboxTM System 4.6 User Manual

User Guide

65

Using service-based NAT

Using service-based NAT

Using service-based NAT, you can set outgoing dynamic NAT policy on a service-by-
service basis. Service-based NAT is most frequently used to make exceptions to a
globally applied simple dynamic NAT entry.

For example, use service-based NAT on a network with simple NAT enabled from
the Trusted to the Optional network with a Web server on the Optional network that
should not be masqueraded to the actual Trusted network. Add a service icon
allowing Web access from the Trusted to the Optional Web server, and disable NAT.
In this configuration, all Web access from the trusted network to the optional Web
server is made with the true source IP, and all other traffic from Trusted to Optional is
masqueraded.

You can also use service-based NAT in lieu of simple dynamic NAT. Rather than
applying NAT rules globally to all outgoing packets, you can start from the premise
that no masquerading takes place and then selectively masquerade a few individual
services.

Enabling service-based NAT

Service-based NAT is not dependent on enabling simple dynamic NAT. From Policy
Manager:

1

Select Setup => NAT. Click Advanced.

2

Enable the Enable Service-Based NAT checkbox.

3

Click OK to close the Advanced NAT dialog box. Click OK to close the Dynamic
NAT dialog box.

Configuring service-based NAT exceptions

By default, services take on whatever dynamic NAT properties you have set for
simple NAT. However, you can override this setting in the service’s Properties dialog
box. There are three options:

• Use Default (Simple NAT) – Service-based NAT is not enabled for the

service. The service will use the simple dynamic NAT rules configured in the
Dynamic NAT Entries list (see “Adding dynamic NAT entries” on page 64).

• Disable NAT – Disables dynamic NAT for outgoing packets using this

service. Use this setting to create service-by-service exceptions to outgoing
NAT.

• Enable NAT – Enables service-based NAT for outgoing packets using this

service regardless of how the simple dynamic NAT settings are configured.

From Policy Manager:

1

Double-click the service icon. Click Outgoing.

If either simple dynamic NAT or service-based NAT is already enabled, an entry appears at the

bottom of the Outgoing tab.

2

Use the Choose Dynamic NAT Setup drop list to select either the default, disable,
or enable setting.

3

Click OK.