{{ secondMenu.name }}
To translate the source IP address and destination IP address of data passing through the device. This function is often used to publish servers by mapping the services of LAN servers to the internet so that external and internal users can access internal servers through the public IP address. The following figure shows the bidirectional NAT process.
An enterprise uses port 80 of a web server in the LAN segment 172.16.1.100 to provide HTTP services and has applied for a domain name www.xxx.com bound to the IP address 1.2.1.1. The customer hopes that external users can enter http://www.xxx.com to access the LAN 172.16.1.100 server, and the LAN users can also access the LAN 172.16.1.100 server by visiting http://www.xxx.com. Here, a bidirectional NAT policy is required.
Step 1.Define LAN and WAN zones. Before you add a Bidirectional NAT policy, navigate to Network > Zones and select the zone to which the interface belongs on the Zones page. In this example, select LAN for the ETH2 interface and WAN for the ETH1 interface.
Step 2.Add a NAT policy. Navigate to Policies > NAT > IPv4 NAT and click Add. Then, the Add IPv4 NAT dialog box appears. Select Bidirectional NAT, enter the name of the policy in the Name field and a custom description in the Description field, and specify the Position and Schedule parameters in the Basics section.
Step 3.Set an Original Data Packet to comply with the policy.
Src Zone: Specify the zone from which the data entering the device is subject to BNAT. For example, when a LAN server is published to the internet, internet users can access the server, and LAN users can also access the server by using the public domain name. In this case, this parameter is set to WAN and LAN.
Src Address: Specify the source IP address only from which data to be subject to BNAT comes.
Destination: Specify the IP address that BNAT is performed when internet users access this address. The destination IP address is the IP address accessed by users before BNAT for a data packet and is usually the public IP address of a device interface. In this example, this parameter is set to 1.2.1.1.
Services: Set the service for which BNAT is to be performed. In this example, select http (TCP:80) for this parameter. The service can be added directly or defined in the Network Objects.
Step 4.Set the conditions of a Translated Data Packet.
IP Address: Specify the IP address to which the destination IP address is translated, and whether to translate the destination port. In this example, set the IP address of the LAN server that provides HTTP services to 172.16.1.100, the Translate Dst IP To parameter to IP Address, and the Translate Port To parameter to Untranslated.
Step 5.By default, Add ACL policy automatically is selected for the Allow parameter. This function automatically allows all traffic matching this policy to pass at the application control level. If this option is not selected, you need to configure the application control policy to enable the traffic to pass. Finally, click Save. Then, the configuration is complete. See the figure below.
Step 6.Both external and internal users can access the server in the LAN segment 172.16.1.100 by visiting http://www.xxx.com.
{{ $t('index.defaultHeader.chromeBrowserTip') }}