You are here: Cookbook > Getting Started > Allowing Internet to Visit a Private Server Using DNAT

Allowing Internet to Visit a Private Server Using DNAT

Destination network address translation (DNAT) is normally used to allow Internet users visit an internal server by providing Internet IP address for internal server.

As shown in the topology, the FTP server hides its internal IP address using DNAT rule. DNAT rule will give the server an Internet IP address for FTP users to access. In this way, the server can be accessed from Internet.

Step 1: Configuring interfaces

1. Configuring the interface connected to the server

Select Network > Interface, and double click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: dmz
  • Type: Static IP
  • IP Address: 10.10.1.1
  • Netmask: 24

2. Configuring the interface connected to Internet

Select Network > Interface, and click ethernet0/3.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 221.224.30.130
  • Netmask: 20
Step 2: Configuring security policies

Configuring a policy allowing Internet to visit internal network

Select Policy > Security Policy, and click Add.

  • Name: untrust_dmz
  • Source Information
    • Zone: untrust
    • Address: Any
  • Destination
    • Zone: dmz
    • Address: Any
  • Other Information
    • Action: Permit
Step 3: Configuring DNAT rule

Select Policy > NAT > DNAT, and click New > Advanced Configuration.

  • Requirement:
    • Destination Address: IP Address, 221.224.30.130 (Note: enter public IP address here.)
  • Translated to:
    • Translated to: "IP Address", "10.10.1.2"
      ´╝łNote: enter the server's internal IP address)

(Optional) Under Advanced tab, select NAT log check box to enable NAT logging (for checking results.)

Step 4: Configuring default route

Select Network > Routing > Destination Route, and click New.

  • Destination: 0.0.0.0
  • Subnet Mask: 0
  • Next Hop: Gateway
  • Gateway: 221.224.30.130  
Step 5: Results

After configuration, use a PC in Internet to ping the server's public address 221.224.30.130.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor module (Select Monitor > Log > Log Monitor, under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to see the destination IP 221.224.30.130 has been translated to internal IP 10.10.1.2.