Adding a Destination NAT Rule

Destination NAT (DNAT) changes the destination address in IP header of a packet. The primary purpose of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside the network. The following table explains the required configurations if using DNAT.

  1. Go to Gateways > (gateway name) > NETWORK > NAT > Add.
  2. Configure the NAT settings based on the NAT type, then click Apply.

    NAT type

    Select Destination NAT to specify setting when IP packets are forwarded.

    Ingress interface

    Select ANY or any L3 interface from the drop-down list to act as the interface for network traffic that originates from outside of the network’s routers and proceeds toward a destination inside of the network.

    Destination IP translation

    Select from the following options:

    • Use Ingress Interface IP—Ingress Interface IP address range specified will be used for translation. When not using the ingress interface IP address, users must explicitly specify an interface with the next option, Use Virtual IP address.
    • Use a Virtual IP address—When users specify an external IP address range, the translated IP address range is automatically generated according to the beginning IP address. The mapping is one-to-one mapping.
    • Port Forward—Check the Port Forward check box for static one-to-one NAT mapping with port forwarding: an external IP address is always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number. Select the protocol from Any, TCP, or UDP. (Any means all protocols.) When users specify the External Service Port range, the Map to Port will be generated automatically according to the beginning port. The mapping is one-to-one mapping.


    Specify an identifying characteristic about use or configuration for the NAT rule.

    Advanced options for DNAT

    Allow users to specify more detailed information or matching conditions, including:

    • Source IP address range: Specified by administrator.
    • Source Port range: Specified by administrator.
  3. Verify that the new rule is added to the list at Network > NAT.