c_nat
If you define Layer 3 interfaces on Deep Edge, you can use Network Address Translation (NAT) policies to specify whether source or destination IP addresses and ports are converted between public and private addresses and ports. For example, private source addresses can be translated to public addresses on traffic sent from an internal (trusted) zone to a public (untrusted) zone.
The following NAT policy rule translates a range of private source addresses (10.0.0.1 to 10.0.0.100) to a single public IP address (200.10.2.100) and a unique source port number (dynamic source translation). The rule applies only to traffic received on a Layer 3 interface in the internal (trusted) zone that is destined for an interface in the public (untrusted) zone. Because the private addresses are hidden, network sessions cannot be initiated from the public network. If the public address is not a Deep Edge interface address (or on the same subnet), the local router requires a static route to direct return traffic to Deep Edge.
Deep Edge has the offer Source and Destination NAT mode options.
For source NAT:
Source NAT—Source NAT (SNAT) changes the source address in IP header of a packet. The primary purpose is to change the a private (RFC 1918) address/port into a public address/port for packets leaving your network. If you select SNAT, you must able configure.
Egress Interface—Select ANY or any L3 interface from the drop-down list to act as an interface for egress traffic, which is traffic that originates from inside the network.
Source IP translation—Select from the following options:
Use Egress Interface IP—Egress interface IP address is used for translation. When not using the egress interface IP address, users must explicitly specify an interface with one of the next three options.
Use single IP—IP address specified will be used for translation.
Use IP range—IP address range specified will be used for translation.
Use a Subnet—Subnet specified will be used for translation.
Advanced options for SNAT allow users to specify more detailed information or matching conditions, including:
Protocol: Any, TCP, or UDP. Any means all protocols.
Source IP address range: Specified by administrator
Source Port range: Specified by administrator
Destination IP address range: Specified by administrator
Destination Port range: Specified by administrator
For Destination NAT:
Destination NAT—Destination NAT (DNAT) changes the destination address in IP header of a packet. The primary purpose of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network. If you select DNAT, you must also configure:
Ingress interface—Select ANY or any L3 interface from the drop-down list to act as the interface for network traffic that originates from outside of the network’s routers and proceeds toward a destination inside of the network.
Destination IP translation—Select from the following options;
Use Ingress Interface IP—Ingress Interface IP address range specified will be used for translation. When not using the ingress interface IP address, users must explicitly specify an interface with the next option, Use Virtual IP address.
Use a Virtual IP address—When users specify an external IP address range, the translated IP address range is generated automatically according to the beginning of the IP address. The mapping is one-to-one mapping.
Port Forward—Check the Port Forward check box for static one-to-one NAT mapping with port forwarding: an external IP address is always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number. Select the protocol from Any, TCP, or UDP. (Any means all protocols.) When users specify the External Service Port range, the Map to Port will be generated automatically according to the beginning port. The mapping is one-to-one mapping.
Advanced options for DNAT allow users to specify more detailed information or matching conditions, including:
Source IP address range: Specified by administrator
Source Port range: Specified by administrator
See also: