Options

SNAT - why would I ever change the source address?

JethroJethro
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

I was reading the docs "Configure Static NAT (SNAT) " and it says this:

"When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when a connection that matches the parameters in your static NAT action is received by your Firebox, it changes the source IP address to the IP address that you specify. You can specify a different source IP address for each SNAT member."

Why would I ever change the source address? To me it seems that it would break NAT.

Comments

  • Options
    Bruce_BriggsBruce_Briggs

    It won't break NAT as the firewall will undo this on the reply packet.

    One example of needing to do this is web access to site A but the web site is really at site B which is connected via a BOVPN.
    Without changing the source IP addr of the packet to something at site A, the reply packet will not go back via the BOVPN and initiating site will reject the reply packet coming from a public IP addr at site B.

  • Options
    JethroJethro

    Thanks Bruce, but I can't work out your explanation. Do you know of a resource that explains this with diagrams.

  • Options
    Bruce_BriggsBruce_Briggs

    How about this?

    Working example:
    source packet - from web browser to web site @ 2.2.2.2 where web server is actually at 10.2.2.20 behind FirewallB
    Source IP = 1.1.1.1 -> FirewallA 2.2.2.2 -> source IP NATed to 10.1.1.2 -> VPN to FirewallB (3.3.3.3) -> 10.2.2.20 FirewallB web server
    reply packet - from 10.2.2.20 FirewallB web server to sending source IP 10.1.1.2
    Dest IP = 10.1.1.2 -> FirewallB (3.3.3.3) -> VPN to FirewallA 2.2.2.2 -> dest IP NATed back to 1.1.1.1 -> to web browser: Dest IP = 1.1.1.1

    Failing example:
    source packet - from web browser to web site @ 2.2.2.2 where web server is actually at 10.2.2.20 behind FirewallB
    Source IP = 1.1.1.1 -> FirewallA 2.2.2.2 -> VPN to FirewallB (3.3.3.3) -> 10.2.2.20 FirewallB web server
    reply packet - from 10.2.2.20 FirewallB web server to sending source IP 1.1.1.1
    Dest IP = 1.1.1.1 -> FirewallB (3.3.3.3) -> to web browser: Dest IP = 1.1.1.1
    web client or firewall at 1.1.1.1 will drop an unexpected reply packet from 3.3.3.3 - expecting a reply from 2.2.2.2

Sign In to comment.