SNAT - why would I ever change the source address?
I was reading the docs "Configure Static NAT (SNAT) " and it says this:
"When you add a static NAT action, you can optionally specify a source IP address in the action. Then, when a connection that matches the parameters in your static NAT action is received by your Firebox, it changes the source IP address to the IP address that you specify. You can specify a different source IP address for each SNAT member."
Why would I ever change the source address? To me it seems that it would break NAT.
0
Sign In to comment.
Comments
It won't break NAT as the firewall will undo this on the reply packet.
One example of needing to do this is web access to site A but the web site is really at site B which is connected via a BOVPN.
Without changing the source IP addr of the packet to something at site A, the reply packet will not go back via the BOVPN and initiating site will reject the reply packet coming from a public IP addr at site B.
Thanks Bruce, but I can't work out your explanation. Do you know of a resource that explains this with diagrams.
How about this?
Working example:
source packet - from web browser to web site @ 2.2.2.2 where web server is actually at 10.2.2.20 behind FirewallB
Source IP = 1.1.1.1 -> FirewallA 2.2.2.2 -> source IP NATed to 10.1.1.2 -> VPN to FirewallB (3.3.3.3) -> 10.2.2.20 FirewallB web server
reply packet - from 10.2.2.20 FirewallB web server to sending source IP 10.1.1.2
Dest IP = 10.1.1.2 -> FirewallB (3.3.3.3) -> VPN to FirewallA 2.2.2.2 -> dest IP NATed back to 1.1.1.1 -> to web browser: Dest IP = 1.1.1.1
Failing example:
source packet - from web browser to web site @ 2.2.2.2 where web server is actually at 10.2.2.20 behind FirewallB
Source IP = 1.1.1.1 -> FirewallA 2.2.2.2 -> VPN to FirewallB (3.3.3.3) -> 10.2.2.20 FirewallB web server
reply packet - from 10.2.2.20 FirewallB web server to sending source IP 1.1.1.1
Dest IP = 1.1.1.1 -> FirewallB (3.3.3.3) -> to web browser: Dest IP = 1.1.1.1
web client or firewall at 1.1.1.1 will drop an unexpected reply packet from 3.3.3.3 - expecting a reply from 2.2.2.2