Traffic between internal interaces and hide NAT

TT · ‎2022-02-24

Hi All,

Looks like a simple topic but still can not confirm it.

Assuming I have "Automatic address translation" enabled in the object definition with "hide behind the gateway" option. Now, I have 3 interfaces - Internal, External and secondary Internal interface.

Does this nat config apply for the traffic between two internal interfaces? Or hide nat always apply only when traffic exits via the External interface.

kind regards,

Tomasz

_Val_ · ‎2022-02-24

Outgoing traffic from that host/network will only be NAT-ed when being sent out through the external interface.

Timothy_Hall · ‎2022-02-24

I'm assuming you are talking about going to the network object itself and configuring its NAT tab. If you look at the 2 automatic NAT rules generated as a result in the NAT policy, the destination of the second generated rule which does the vast majority of the NATting for that network has a destination of "Any". So yes it will NAT that traffic to all other interfaces including the second internal one. Typically you would have a manual anti-NAT/no-NAT rule defined early in the NAT policy that will disable NATting between internal networks and/or DMZs. The first auto-generated rule specifies no-NAT for hairpin/u-turn situations involving that network and is rarely hit.

I think the checkbox Val is referring to is located on the gateway/cluster object itself on the NAT screen. If you check that one yes only traffic exiting on the External interface will be NATted.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

the_rock · ‎2022-02-24

What @_Val_ told you is always 100% the case.

Are you a member of CheckMates?

Traffic between internal interaces and hide NAT