SonicOS 7.0 Rules and Policies for Policy mode

NAT Policy > Creating NAT Rule Policies: Examples > Creating a One-to-One NAT Policy for Inbound Traffic
Table of Contents

Creating a One-to-One NAT Policy for Inbound Traffic

A one-to-one NAT policy is the most commonly used type of NAT policy on SonicWall security appliances. It allows you to translate an external public IP addresses into an internal private IP address. When paired with an Allow access rule, this NAT policy allows any source to connect to the internal server using the public IP address; the firewall handles the translation between the private and public address. With this policy in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive via the WAN interface (by default, the X1 interface).

You also need to create the access rule that allows anyone to make HTTP connections to the web server through the web server’s public IP address, and also create the NAT policy.

The mirror (reflexive) policy for this one-to-one inbound NAT policy is described in Creating a One-to-One NAT Policy for Outbound Traffic.

To conceal the internal server’s real listening port, but provide public access to the server on a different port, refer to the example configuration described in Inbound Port Address Translation via One-to-One NAT Policy.

To create a one-to-one policy for inbound traffic

  1. Navigate to the POLICY | Rules and Policies > Access Rules page.

  2. Click +Add to display the Adding NAT Rule dialog.

  3. Enter in the values shown in Option choices: Access Rule for One-to-one inbound traffic example.

    Option choices: Access Rule for One-to-one inbound traffic example
    Option Value
    Action Allow
    Source WAN
    Destination Select the zone that the server is in
    Service Select a port; the default is Any if Source Port/Services is configured, the access rule filters the traffic based on the source port defined in the selected service object/group. The service object/group selected must have the same protocol types as the ones selected in Port/Services.
    Translated Service HTTP
    Translated Destination webserver_public_ip (the address object containing the server’s public IP address)
    User Include All (default)
    User Exclude None (default)
    Schedule Always (default)
    Comment Enter a short description
    Enable Logging Selected
    Allow Fragmented Packets Selected
    All other options Deselected
  4. Click Add. The rule is added. You can also continue with Access Rules setting up additional policies.
  5. Navigate to the POLICY | Rules and Policies > NAT Rules page.
  6. Click +Add to display the Adding NAT Rule dialog.

  7. Configure the values shown in the Option Choices: One-to-one Inbound NAT Policy table.

    Option Choices: One-to-one Inbound NAT Policy
    Option Value
    Original Source Any
    Translated Source Original
    Original Destination webserver_public_ip
    Translated Destination webserver_private_ip
    Original Service HTTP
    Inbound Interface X1
    Outbound Interface Any
    NOTE: Select Any rather than the interface that the server is on.
    Translated Service Original
    Comment Enter a short description
    Enable Checked
    Create a reflexive policy Not checked

  8. Click Add and then click Close.

When you are done, attempt to access the web server’s public IP address using a system located on the public internet. You should be able to successfully connect. If not, review this section, and the Creating a One-to-One NAT Policy for Outbound Traffic section, and ensure that you have configured all required settings correctly.