Network > NAT Policies
249
SonicOS Enhanced 4.0 Administrator Guide
• Translated Service: This drop-down menu setting is what the SonicWALL security
appliance translates the Original Service to as it exits the SonicWALL security appliance,
whether it be to another interface, or into/out-of VPN tunnels. You can use the default
services in the SonicWALL security appliance, or you can create your own entries. For
many NAT Policies, this field is set to Original, as the policy is only altering source or
destination IP addresses.
• Inbound Interface: This drop-down menu setting is used to specify the entry interface of
the packet. When dealing with VPNs, this is usually set to Any, since VPN tunnels aren’t
really interfaces.
• Outbound Interface: This drop-down is used to specify the exit interface of the packet
once the NAT policy has been applied. This field is mainly used for specifying which WAN
interface to apply the translation to. Of all fields in NAT policy, this one has the most
potential for confusion. When dealing with VPNs, this is usually set to Any, since VPN
tunnels aren’t really interfaces. Also, as noted in the Quick Q&A’ section of this chapter,
when creating inbound 1-2-1 NAT Policies where the destination is being remapped from a
public IP address to a private IP address, this field must be set to Any.
• Comment: This field can be used to describe your NAT policy entry. The field has a 32-
character limit, and once saved, can be viewed in the main Network > NAT Policies page
by running the mouse over the text balloon next to the NAT policy entry. Your comment
appears in a pop-up window as long as the mouse is over the text balloon.
• Enable NAT Policy: By default, this box is checked, meaning the new NAT policy is
activated the moment it is saved. To create a NAT policy entry but not activate it
immediately, uncheck this box.
• Create a reflective policy: When you check this box, a mirror outbound or inbound NAT
policy for the NAT policy you defined in the Add NAT Policy window is automatically
created.
NAT Policies Q&A
Why is it necessary to specify ‘Any’ as the destination interface for inbound 1-2-1
NAT policies?
It may seem counter-intuitive to do this, given that other types of NAT policies require you to
specify the destination interface, but for this type of NAT policy, this is what is necessary. The
SonicWALL security appliance uses this field during the NAT Policy lookup and validates it
against the packet that it receives, but if this is set to some internal interface such as LAN, the
lookup fails because at that point, the SonicWALL security appliance does not know that the
packet is going to LAN. It’s not until after the SonicWALL security appliance performs the NAT
Policy lookup that it knows that the packet is going to LAN. At the precise time that the
SonicWALL security appliance does the NAT Policy lookup, the packet looks like it is going from
WAN -> WAN (or whatever interface it is coming in on), since doing a route lookup on the NAT
Public address returns the Public interface.
Can I manually order the NAT Polices?
No, the SonicWALL security appliance automatically orders them, depending on the granularity
of the rule. This means that you can create NAT policy entries for the same objects, if each
policy has more granularity than the existing policy. For example, you can create a NAT policy