SonicOS 7 Rules and Policies

About NAT in SonicOS

Before configuring NAT policies, be sure to create all address objects associated with the policy. For instance, if you are creating a one-to-one NAT policy, be sure you have address objects for your public and private IP addresses.

By default, LAN to WAN has a NAT policy predefined on the firewall.

The Network Address Translation (NAT) engine in SonicOS allows you to define granular NAT policies for your incoming and outgoing traffic. By default, the firewall has a preconfigured NAT policy to allow all systems connected to the X0 interface to perform many-to-one NAT using the IP address of the X1 interface, and a policy to not perform NAT when traffic crosses between the other interfaces. NAT policies are automatically created when certain features are enabled, such as the Enable Local Radius Server option in WLAN zone configuration, and are deleted when the feature is disabled. This section explains how to set up the most common NAT policies.

Understanding how to use NAT policies starts with examining the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requester, and the destination’s IP address. The NAT Policies engine in SonicOS can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

You can add up to 512 - 2048 NAT policies depending on the SonicWall network security platform, and they can be as granular as you need. It is also possible to create multiple NAT policies for the same object — for instance, you can specify that an internal server use one IP address when accessing Telnet servers, and to use a totally different IP address for all other protocols. Because the NAT engine in SonicOS supports inbound port forwarding, it is possible to hide multiple internal servers off the WAN IP address of the firewall. The more granular the NAT policy, the more precedence it takes.

The Maximum Routes and NAT Policies Allowed per Firewall Model table shows the maximum number of routes and NAT policies allowed for each network security appliance model running SonicOS.

Maximum Routes and NAT Policies Allowed per Firewall Model
ModelRoutesNAT PoliciesModelRoutesNAT Policies
StaticDynamicStaticDynamic
NSa 9650409681922048NSA 6600204840962048
NSa 9450409681922048NSA 5600204840962048
NSa 9250409681922048NSA 4600108820481024
NSa 6650307240962048NSA 3600108820481024
NSa 5650204840962048NSA 2600108820481024
NSa 4650204840962048
NSa 3650108820481024TZ6002561024512
NSa 2650108820481024TZ500/TZ500W2561024512
TZ400/TZ400W2561024512
SM 9600307240962048TZ300/TZ300W2561024512
SM 9400307240962048
SM 9200307240962048SOHO W2561024512

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.