Configuring interface-based NAT. How does interfaced-based NAT work?
| Knowledge Base ID: | KB4761 |
| Version: | 7.0 |
| Published: | 07 Oct 2008 |
| Updated: | 07 Oct 2008 |
| Categories: |
 Firewall/IPSec_VPN NAT/PAT ScreenOS |
Configuring interface-based NAT or NAT Mode. How does interfaced-based NAT work?
Problem or Goal:
What are the steps to configure interface-based NAT?
Symptoms & Errors:
Solution:Symptoms & Errors:
- Cannot configure the Untrust or DMZ interface for NAT mode operation.
- Cannot configure an interface in a zone on untrust-vr for NAT mode
- Cannot enable NAT mode on an interface
- NAT does not work when not going to the Untrust Interface
- Where does interface-based NAT work
To configure interface based NAT, perform the following steps:
This article assumes the chosen interface is already bound to a zone. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.
WEBUI
----------
From the ScreenOS options menu, click Network, and then click Interfaces.
From the Interface list, choose the Interface you wish to modify, and click Edit.
For this example, we chose to edit the ethernet1 interface.
From Interface Mode, click to select NAT.
Click OK.
CLI
-----
To configure an interface for NAT mode:
To configure an interface for ROUTE mode:
Here is an example configuration in the Trust-VR:
Purpose: This article assumes the chosen interface is already bound to a zone. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.WEBUI
----------
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click Network, and then click Interfaces.
From the Interface list, choose the Interface you wish to modify, and click Edit. For this example, we chose to edit the ethernet1 interface.
From Interface Mode, click to select NAT.
Click OK. 
CLI
-----
To configure an interface for NAT mode:
set interface <interface> nat
To configure an interface for ROUTE mode:
unset interface <interface> nat
Where does interfaced-based NAT work?
- Trust zone to Untrust zone
- Trust zone to DMZ Zone
- DMZ zone to Untrust zone
The behavior for interface NAT with the Untrust-VR is different. If the destination zone is in the Untrust-VR, then NAT will take place from ANY zone.
Here is an example configuration in the Trust-VR:
e1 bound to Trust zone, NAT configured on e1
ns25-> get i e1
Interface ethernet1:
number 4, if_info 800, if_index 0, mode nat
link up, phy-link up/full-duplex
vsys Root, zone Trust, vr trust-vr
*ip 10.1.1.1/24 mac 0010.db15.1c44
*manage ip 10.1.1.1, mac 0010.db15.1c44
ping enabled, telnet enabled, SCS enabled, SNMP enabled
web enabled, ident-reset disabled, SSL enabled
webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled
DHCP-Relay disabled
bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
total configured gbw 0kbps, total allocated gbw 0kbps e2 bound to the DMZ zone, NAT configured on e2
ns25-> get i e2
Interface ethernet2:
number 5, if_info 1000, if_index 0, mode nat
link down, phy-link down
vsys Root, zone DMZ, vr trust-vr
*ip 172.16.20.1/24 mac 0010.db15.1c45
*manage ip 172.16.20.1, mac 0010.db15.1c45
ping enabled, telnet disabled, SCS disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled
DHCP-Relay disabled
bandwidth: physical 0kbps, configured 0kbps, current 0kbps
total configured gbw 0kbps, total allocated gbw 0kbps e3 bound to the Untrust zone
ns25-> get i e3
Interface ethernet3:
number 6, if_info 1200, if_index 0, mode route
link up, phy-link up/half-duplex
vsys Root, zone Untrust, vr trust-vr
dhcp disabled
*ip 10.100.31.130/24 mac 0010.db15.1c46
*manage ip 10.100.31.130, mac 0010.db15.1c46
ping enabled, telnet enabled, SCS enabled, SNMP enabled
web enabled, ident-reset disabled, SSL enabled
webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled
DHCP-Relay disabled
bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
total configured gbw 0kbps, total allocated gbw 0kbps Traffic from e1 > e3 will be NAT'd, traffic from e2 > e3 will be NAT'd, and traffic from e1 > e2 will be NAT'd.
NAT mode is also documented in the Concepts & Examples ScreenOS Reference Guide:
Volume 2: Fundamentals
Interface Modes > NAT Mode
NOTE: The following statement of this Reference Guide on page 79 is in error:
Interface Modes > NAT Mode
NOTE: The following statement of this Reference Guide on page 79 is in error:
ScreenOS does not perform NAT on traffic destined for any zone other than the Untrust zone.As stated above, Interface based NAT works From and To the following zones in the Trust-VR:
- Trust zone to Untrust zone
- Trust zone to DMZ Zone
- DMZ zone to Untrust zone
Troubleshooting
