Understanding Source NAT Address Types

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

 This article is based on a discussion, Source NAT with Pool, posted by @nattapong_thi. Read on to see the guidance from Cyber Elite @Astardzhiev!

 

For example, we use 110.110.110.0/24 as internet facing interface

 

What is the difference between

110.110.110.30/24 and 110.110.110.30/32

 

Which one is correct? When I configure a /24 it seems there's a conflict displayed

 

nattapong_thi_0-1665113789364.png

nattapong_thi_1-1665113853182.png

 

 

Solution:

 

Hi @nattapong_thi,

When you use Dynamic IP and Port for source nat, you have two options for defining what address to be used for translation:

- Interface address - if you select this one, you tell the firewall to use the IP assigned to that particular interface to be used for translation. In this case firewall will translate all internal sources to single IP - the one configured on selected interface. On other words this is many-to-one translation

- Translated address - if you select this one, firewall is expecting you to configure valid IP pool that it will use for translation. In this case you define how big is the pool. If you use /32 prefix, this means that pool consist of single IP and it is again same as many-to-one translation. If you use /24 prefix this means that pool has 255 available addresses, which firewall can use for translation - this is many-to-many translation.

 

110.110.110.30/32 is valid configuration, because /32 prefix define range of single IP

110.110.110.30/24 is not valid configuration, because /24 prefix define range of 255 IP addresses, so the .30 is not the beginning of the prefix, but represent a host in that range.

 

When you are configure your outside interface with 110.110.110.30/24 this is now valid, because you tell that FW is assigned with IP .30 from a /24 network, from which firewall can identify the length of the network, network mask etc.

 

In your specific case you can use either of the two:

- Use "Interface address" for address type and select the interface of the outside/untrust interface.

- Use "translated address" for type and enter /32 pool

 

 

Rate this article:
  • 2752 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎11-08-2022 08:42 AM
Updated by: