About Port Forwarding; About Masquerading And Source Nat - McAfee SG310 Administration Manual

Firewall menu options
NAT
• Port forwarding/Destination NAT — For incoming traffic
• Masquerading/Source NAT — For outgoing traffic
• One-to-one NAT — For connections established in both directions. Source and destination NAT are
combined within one rule.

About port forwarding

The most common of these is port forwarding, which is also referred to as PAT (Port Address Translation),
or DNAT (Destination NAT). This is typically used to alter the destination address (and possibly port) of
matched packets arriving on the UTM Firewall appliance Internet interface to the address of a host on the
DMZ or LAN. This is the most common way for internal masqueraded servers to offer services externally.
In Figure 174, the UTM Firewall appliance replaces the original destination IP address (DST_IP=3.3.3.3) of
an inbound packet with the IP address of the actual DMZ server, which is 25.25.25.25. The source IP
address remains the same at 1.1.1.1.
Figure 174 Port forwarding
Table 13 NAT packets source and destination IP addresses
Packet from client
SRC_IP=1.1.1.1
DST_IP=3.3.3.3 (Pre-DNAT)
In the UTM Firewall appliance, NAT is performed as early as possible for destination addresses and as late
as possible for source addresses.

About masquerading and source NAT

Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address.
This is the type of NAT used by the UTM Firewall appliance to masquerade your private network behind its
public IP address. To a server on the Internet, requests originating from the hosts behind a masqueraded
interface appear to originate from the UTM Firewall appliance, as matched packets have their source
address altered. You can enable or disable source NAT between interfaces under Masquerading, and fine
tune source NAT rules under Source NAT.
Source NAT is especially useful when you have DMZ servers behind the UTM Firewall appliance that require
having their outgoing connections they initiate appear as thought they are originating from a particular
public IP address. The specified public IP address would be assigned as an alias to the WAN interface of the
UTM Firewall appliance.
In Figure 175, the UTM Firewall appliance replaces the source IP address (SRC_IP=1.1.1.1) packet
originating with the IP address of the exiting interface, which is 3.3.3.3. The destination IP address remains
25.25.25.25.
172 McAfee UTM Firewall 4.0.4 Administration Guide
Packet from UTM Firewall after NAT
SRC_IP=1.1.1.1
DST_IP=25.25.25.25 (Post DNAT)