Support Center > Search Results > SecureKnowledge Details
How to configure Automatic NAT rules in specific order
Solution

When applying Automatic NAT rules in a Node / Network object properties in SmartDashboard, the Automatic NAT rules are created in the NAT rulebase.

Security Gateway administrators might need to implement Automatic NAT rules for a large network, and additional Automatic NAT rules for a subnet that is encompassed by the large network.

To ensure that the more specific Automatic NAT rule is applied first in the NAT rulebase, make sure that more specific Automatic NAT rule is created by the SmartDashboard above the NAT rule for the larger network.

Example:

Goal:

  1. Large network 10.0.0.0/8 must be hidden behind IP address 172.21.1.1

  2. Subnet 10.10.200.0/24 (which is a part of 10.0.0.0/8) must be hidden behind IP address 192.168.1.1

  3. The NAT rule for 10.10.200.0/24 must be applied before the NAT rule for 10.0.0.0/8

Action plan:

Since Automatic NAT rules are created by SmartDashboard in alphabetical order and can not be moved, you should configure the names of the your objects and enable the NAT in specific order:

  1. The name of "Subnet" object should be alphabetically located above the name of "Large network" object

  2. The NAT should be first enabled in the "Subnet" object, and only then in the "Large network" object

Procedure:

  1. Create the 'Network' object for Subnet 10.10.200.0/24 - for example, with the name "Network_A"

  2. Create the 'Network' object for Large network 10.0.0.0/8 - for example, with the name "Network_B"

  3. Enable NAT in object for Subnet 10.10.200.0/24 ("Network_A")

  4. Enable NAT in object for Large network 10.0.0.0/8 ("Network_B")

  5. Check the NAT rulebase - the rules for Subnet 10.10.200.0/24 ("Network_A") should appear above the rules for Large network 10.0.0.0/8 ("Network_B")

    If the names of the objects are alphabetically correct, but the order of Automatic NAT rules is wrong (e.g., the NAT rules for "Network_B" appear above the NAT rules for "Network_A"), then:

    • disable the NAT in the object, whose NAT rules appear above (in this case - disabe NAT in the "Network_B" object)

    • re-enable the NAT in the object (in this case - re-enable NAT in the "Network_B" object)


  6. Save the changes: go to 'File' menu - click on 'Save'

  7. Install the policy
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment