SonicOS 7 Rules and Policies

Creating a One-to-One NAT Policy for Outbound Traffic

One-to-one NAT for outbound traffic is another common NAT policy on a firewall for translating an internal IP address into a unique IP address. This is useful when you need specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this one-to-one NAT policy for outbound traffic is used to map a server’s private IP address to a public IP address, and it is paired with a reflexive (mirror) policy that allows any system from the public internet to access the server, along with a matching firewall access rule that permits this. The reflexive NAT policy is described in Creating a One-to-One NAT Policy for Inbound Traffic.

To create a one-to-one policy for outbound traffic

  1. Navigate to the OBJECT | Match Objects > Addresses page.

  2. Click +Add at the top of the page. The Address Object Settings dialog displays.

  3. Enter a friendly description such as webserver_private_ip for the server’s private IP address in the Name field.
  4. Select the zone assigned to the server from the Zone Assignment drop-down menu.
  5. Choose Host from the Type drop-down menu.
  6. Enter the server’s private IP address in the IP Address field.
  7. Click Save. The new address object is added to the Address Objects table.
  8. Then, repeat Step 2 through Step 7 to create another object in the Address Object Settings dialog for the server’s public IP address and select WAN from the Zone Assignment drop-down menu. Use webserver_public_ip for the Name.
  9. Click Save to create the address object. The new address object is added to the Address Objects table.
  10. Click Cancel to close the Address Object Settings dialog.
  11. Navigate to the POLICY | Rules and Policies > NAT Rules page.

  12. Click +Name at the top of the page. The Add NAT Policy dialog displays.

  13. To create a NAT policy to allow the web server to initiate traffic to the public internet using its mapped public IP address, choose the options shown in Option choices: One-to-One NAT Policy for Outbound Traffic Example:

    Option choices: One-to-One NAT Policy for Outbound Traffic Example
    Option Value
    Original Source webserver_private_ip
    Translated Source webserver_public_ip
    Original Destination Any
    Translated Destination Original
    Original Service Any
    Translated Service Original
    Inbound Interface X3
    Outbound Interface X1
    Comment Enter a short description
    Enable NAT Policy Checked
    Create a reflexive policy (dimmed when Translated Destination is Original)
  14. When done, click Add to add and activate the NAT policy.

  15. Click Cancel to close the Add NAT Policy dialog.

    With this policy in place, the firewall translates the server’s private IP address to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

    You can test the one-to-one mapping by opening up a web browser on the server and accessing the public website http://www.whatismyip.com. The website should display the public IP address you attached to the private IP address in the NAT policy you just created.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.