About Dynamic Nat; About Static Nat - Watchguard Firebox X15 User Manual
Firebox x edge e-series version 10 all firebox x edge e-series standard and wireless models
Hide thumbs
Also See for Firebox X15:
- User manual (266 pages) ,
- Quick start manual (2 pages) ,
- Reference manual (264 pages)
Table of Contents
Advertisement
Secondary IP addresses
You can assign eight public IP addresses to the primary external interface (WAN1). These addresses are used
for 1-to-1 NAT.
When you configure secondary IP addresses on the external network:
The primary IP address must be a static IP address. The first IP address is the primary IP address.
All secondary IP addresses must be on the same external subnet as the primary IP address.
You cannot configure multiple IP addresses for the WAN2 interface. The WAN2 interface must be on a
different subnet than the WAN1 interface.
About dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing
connection to the public IP address of the Firebox. Outside the Firebox, you see only the external interface IP
address of the Firebox on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for
internal hosts that use the Internet, because it hides the IP addresses of hosts on your network. With dynamic
NAT, all connections must start from behind the Firebox. Malicious hosts cannot start connections to the
computers behind the Firebox when the Firebox is configured for dynamic NAT.
The Edge automatically uses dynamic NAT on all outgoing traffic. If you want outgoing traffic from a host on
the trusted or optional network to show an IP address that is different from the primary IP address on the
external network, you must use 1-to-1 NAT. For more information, see
About static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the external
network to a port on an external interface. Static NAT changes this IP address to an IP address and port behind
the firewall. If a software application uses more than one port and the ports are selected dynamically, you
must use 1-to-1 NAT or check whether a proxy on the Firebox will manage this kind of traffic.
When you use static NAT, you use an external IP address of your Firebox instead of the IP address of a public
server. You could do this because you choose to, or because your public server does not have a public IP
address. For example, you can put your SMTP email server behind the Firebox with a private IP address and
configure static NAT in your SMTP policy. The Firebox receives connections on port 25 and makes sure that
any SMTP traffic is sent to the real SMTP server behind the Firebox.
You configure static NAT with incoming firewall policies. For more information, see
packet filter
policies.
User Guide
Traffic Management
About 1-to-1
NAT.
About using common
173
Hide quick links:
Advertisement
Table of Contents
