Справочник Пользователя для SonicWALL 5.8.1
Network > NAT Policies
351
SonicOS 5.8.1 Administrator Guide
NAT Policies Q&A
Why is it necessary to specify ‘Any’ as the destination interface for inbound 1-2-1
NAT policies?
NAT policies?
It may seem counter-intuitive to do this, given that other types of NAT policies require you to
specify the destination interface, but for this type of NAT policy, this is what is necessary. The
SonicWALL security appliance uses this field during the NAT Policy lookup and validates it
against the packet that it receives, but if this is set to some internal interface such as LAN, the
lookup fails because at that point, the SonicWALL security appliance does not know that the
packet is going to LAN. It is not until after the SonicWALL security appliance performs the NAT
Policy lookup that it knows that the packet is going to LAN. At the precise time that the
SonicWALL security appliance does the NAT Policy lookup, the packet looks like it is going from
WAN -> WAN (or whatever interface it is coming in on), since doing a route lookup on the NAT
Public address returns the Public interface.
specify the destination interface, but for this type of NAT policy, this is what is necessary. The
SonicWALL security appliance uses this field during the NAT Policy lookup and validates it
against the packet that it receives, but if this is set to some internal interface such as LAN, the
lookup fails because at that point, the SonicWALL security appliance does not know that the
packet is going to LAN. It is not until after the SonicWALL security appliance performs the NAT
Policy lookup that it knows that the packet is going to LAN. At the precise time that the
SonicWALL security appliance does the NAT Policy lookup, the packet looks like it is going from
WAN -> WAN (or whatever interface it is coming in on), since doing a route lookup on the NAT
Public address returns the Public interface.
Can I manually order the NAT Polices?
No, the SonicWALL security appliance automatically orders them, depending on the granularity
of the rule. This means that you can create NAT policy entries for the same objects, if each
policy has more granularity than the existing policy. For example, you can create a NAT policy
to translate all LAN systems to the WAN IP address, then create a policy saying that a specific
system on that LAN use a different IP address, and additionally, create a policy saying that
specific use another IP address when using HTTP.
of the rule. This means that you can create NAT policy entries for the same objects, if each
policy has more granularity than the existing policy. For example, you can create a NAT policy
to translate all LAN systems to the WAN IP address, then create a policy saying that a specific
system on that LAN use a different IP address, and additionally, create a policy saying that
specific use another IP address when using HTTP.
Can I Have Multiple NAT Policies for the Same Objects?
Yes – please read the section above.
What are the NAT ‘System Policies’?
On the Network > NAT Policies page, notice a radio button labeled System Polices. If you
choose this radio button, the NAT Polices page displays all of the default, auto-created NAT
policies for the SonicWALL security appliance. These policies are default settings for the
SonicWALL security appliance to operate properly, and cannot be deleted. For this reason, they
are listed in their own section, in order to make the user-created NAT policies easier to browse.
If you wish to see user-created NAT policies along with the default NAT policies, simply check
the radio button next to ‘All Policies’.
choose this radio button, the NAT Polices page displays all of the default, auto-created NAT
policies for the SonicWALL security appliance. These policies are default settings for the
SonicWALL security appliance to operate properly, and cannot be deleted. For this reason, they
are listed in their own section, in order to make the user-created NAT policies easier to browse.
If you wish to see user-created NAT policies along with the default NAT policies, simply check
the radio button next to ‘All Policies’.
Can I Write NAT Policies for VPN Traffic?
Yes, this is possible if both sides of the VPN tunnel are SonicWALL security policies running
SonicOS Enhanced firmware. Please refer to the technote SonicOS Enhanced NAT VPN
Overlap for instructions on how to perform NAT on traffic entering and exiting VPN tunnels.
Available at
SonicOS Enhanced firmware. Please refer to the technote SonicOS Enhanced NAT VPN
Overlap for instructions on how to perform NAT on traffic entering and exiting VPN tunnels.
Available at
.