You are here: Cookbook > Getting Started > Allowing Private Network to Access Internet Using SNAT

Allowing Private Network to Access Internet Using SNAT

SNAT rule is used to allow users in private network to access Internet. An SNAT rule will translate the internal IP addresses to a public IP address, so that internal users can have access to public network via the public interface.

As shown in the topology, via SNAT, internal PCs use the eth0/3 (221.224.30.130/20) to visit Internet.

Step 1: Configuring Interface

1. Configuring the interface connected to private network

Select Network > Interface, and double click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 24

2. Configuring the interface connected to Internet

Select Network > Interface, and double click ethernet0/3.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 221.224.30.130
  • Netmask: 20
Step 2: Configuring security policy

Configuring a security policy to allow private network to Internet

Select Policy > Security Policy, and click Add.

  • Name: trust_untrust
  • Source Information
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: untrust
    • Address: Any
  • Other Information
    • Action: Permit
Step 3: Configuring Address book

Configuring an address range for private network users

Select Object > Address Entry, and click New.

  • Name: snat_IP
  • Member: add "192.168.1.0/24"
Step 4: Configuring SNAT rule

Select Policy > NAT > SNAT, and click New.

  • Requirement:
    • Source Address: Address Entry, snat_IP (Note: enter the server's internal IP address.)
  • Translated to:
    • Specified IP: "IP Address", "221.224.30.130"
      ´╝łNote: enter public IP address here)
    • Mode: Dynamic Port (multi-port to one)

(Optional) Under Advanced tab, select NAT log check box to enable NAT loggling (for checking results).

Step 5: Configuring default route

Select Network > Routing > Destination Route, and click New.

  • Destination: 0.0.0.0
  • Subnet Mask: 0
  • Next Hop: Gateway
  • Gateway: 221.224.30.130  
Step 6: Results

After configuration, PCs in private network can ping 221.224.30.131 successfully.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor module (Select Monitor > Log > Log Monitor, under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to see the destination IP 192.168.1.2 has been translated to internal IP 221.224.30.130.