- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-30-2014 11:21 AM
On our firewall we have some inbound web servers with static NAT policies using SNAT and others inbound web servers/services with DNAT policies. I am trying to figure out which one i should be using. For example the company we hired to implement our firewalls and setup policies use the SNAT way for every Static NAT policy. When I called into support for an issue one time, they stated that i should be using DNAT and not SNAT.
09-30-2014 11:27 AM
Hi,
you should use DNAT for inbound access or
You may use SNAT(static) for internal server with bidirectional yes option (if your each internal server has a specific public ip on WAN)
09-30-2014 11:34 AM
Hi EDSAdmin,
SNAT or DNAT both can be used, all depends on purpose.
Lets say you have FTP,HTTP and SSL servers but only one public IP addresses. And you are interested only in inbound access[Internet users should access server]. Than go for DNAT.
If you have 3 public IP addresses and you are also looking for outbound server access with same public IP than go for DNAT.
Regards,
Hardik Shah
09-30-2014 11:36 AM
Hi EDSAdmin,
You are trying to change the destination address for traffic coming in to your network. ie. if someone tries to access 1.2.3.4 (public ip that you host) nat to internal ip 192.168.1.1. You are not changing the source IP portion of it. So you will configure DNAT. Hope that helps. Thank you.
09-30-2014 12:18 PM
Each inbound server has its own unique external static IP. Currently they are all set to be bi directional as well. I haven't had a problem with the SNAT way was just trying to get a better understanding since that time i called into support and the engineer kept telling me why are you using SNAT, you should be using DNAT.
We have Exchange server, web servers, that are all set with static external IP's.
09-30-2014 12:20 PM
Hi EDSAdmin,
Its just a matter of implementation and choice. IF you have spare public IPs than always go with SNAT.
But if there is a crunch of IPs than go with DNAT.
This is te main tie breaker for the implementation. There are number of other differences as well.
Regards,
Hardik Shah
09-30-2014 12:22 PM
SNAT with bidirectional option is OK then.You may use for all servers.
09-30-2014 12:38 PM
Excellent. Thanks for the clarification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!