Showing results for 
Show  only  | Search instead for 
Did you mean: 


L4 Transporter


when do we use the destination nat ,source nat and  identity nat 

I mean what is the use cases for the above 



Cyber Elite
Cyber Elite


Source NAT:

Source NAT changes the source address in the IP header of a packet. Typical use would be making a NAT statement for your internal addressing to a Public IP address. For example, if you leave my network as source IP, I'd want you to be NAT to on a dynamic port. 

Destination NAT:

Destination NAT changes the destination address in the IP header of a packet. Typical use case could be would be exposing a service such as Exchange to the public via your Public IP. For example, if you hit I'd want a destination NAT statement to ensure that the destination address in the IP header was translated to the internal address to hit my mail server. 

Identity NAT:

Translates the real IP address to the same IP address in the IP header of the packet. To the best of my knowledg,e you will only ever hear about identity NAT on an ASA. Essentially the way that Cisco configured their NAT Exception policies caused a necessity for Identity NAT to be created. There are technically three, at least, types of Identity NAT; I'm not going to get into them because this isn't an ASA forum. 


Things get more complicated because there are a lot of different ways to configure NAT statements, and any one way isn't really more correct than the next. For example; while many people would expose mail services through a destination NAT, with enough Public IPs you can also simply make a Source NAT to a static-ip and enable bi-directional traffic. There's also u-turn NAT statements and so on. 

L4 Transporter

Hi @simsim 


If you need the firewall to translate the source IP address in a packet you will use Source NAT. A good example for this is users in trust zone that have private IP addresses need to be translated to the external IP address the firewall has on the untrust zone (ISP). So the firewall translates the IP address when forwarding the packet to the untrust zone.


If you need the firewall to translate the destination IP address ip a packet you will use Destination NAT. A good example of this is a web server in DMZ that has a private IP address and you need internet users to access it. So from the internet side it is accessible via the real-world IP address and the firewall translates it to a private IP address when forwarding the packet to DMZ zone.


In some cases you can also use both of them in the same NAT rule.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!