NAT
 
NAT
NAT Overview
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the Zyxel Device available outside the private network. If the Zyxel Device has only one public IP address, you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address.
What You Need to Know
NAT is also known as virtual server, port forwarding, or port translation.
Well-known Ports
Port numbers range from 0 to 65535, but only port numbers 0 to 1023 are reserved for privileged services and designated as well-known ports. The following list specifies the ports used by the server process as its contact ports. See Configuration > Object > Service for more information about service objects.
Well-known ports range from 0 to 1023.
Registered ports range from 1024 to 49151.
Dynamic ports (also called private ports) range from 49152 to 65535.
Well-known Ports
Port
TCP/UDP
Description
1
TCP
TCP Port Service Multiplexer (TCPMUX)
20
TCP
FTP - Data
21
TCP
FTP - Control
22
TCP
SSH Remote Login Protocol
23
TCP
Telnet
25
TCP
Simple Mail Transfer Protocol (SMTP)
42
UDP
Host Name Server (Nameserv)
43
TCP
WhoIs
53
TCP/UDP
Domain Name System (DNS)
67
UDP
BOOTP/DHCP server
68
UDP
BOOTP/DHCP client
69
UDP
Trivial File Transfer Protocol (TFTP)
79
TCP
Finger
80
TCP
HTTP
110
TCP
POP3
119
TCP
Newsgroup (NNTP)
123
UDP
Network Time Protocol (NTP)
135
TCP/UDP
RPC Locator service
137
TCP/UDP
NetBIOS Name Service
138
UDP
NetBIOS Datagram Service
139
TCP
NetBIOS Datagram Service
143
TCP
Interim Mail Access Protocol (IMAP)
161
UDP
SNMP
179
TCP
Border Gateway Protocol (BGP)
389
TCP/UDP
Lightweight Directory Access Protocol (LDAP)
443
TCP
HTTPS
445
TCP
Microsoft - DS
636
TCP
LDAP over TLS/SSL (LDAPS)
953
TCP
BIND DNS
990
TCP
FTP over TLS/SSL (FTPS)
995
TCP
POP3 over TLS/SSL (POP3S)
NAT
The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules.
Configuration > Network > NAT 
Label
Description
Use Static-Dynamic Route to Control 1-1 NAT Route
If you are using SiteToSite VPN and 1-1 SNAT, it’s recommended that you select this checkbox. Otherwise, you’ll need to create policy route rules for VPN and destination NAT traffic.
Note that the selection of this checkbox will change the priority of the routing flow (SiteToSite VPN, Static-Dynamic Route, and 1-1 SNAT). See Packet Flow Explore for more information about the packet flow.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
#
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the entry.
Mapping Type
This field displays what kind of NAT this entry performs: Virtual Server, 1:1 NAT, or Many 1:1 NAT.
Interface
This field displays the interface on which packets for the NAT entry are received.
External IP
This field displays the external destination IP address (or address object) of traffic that matches this NAT entry. It displays any if there is no restriction on the external destination IP address.
Internal IP
This field displays the new destination IP address for the packet.
Protocol
This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services.
External Port
This field displays the external destination port(s) of packets for the NAT entry. This field is blank if there is no restriction on the external destination port.
Internal Port
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the external destination port.
Apply
Click this button to save your changes to the Zyxel Device.
Reset
Click this button to return the screen to its last-saved settings.
NAT Add/Edit
The NAT Add/Edit screen lets you create new NAT rules and edit existing ones.
Configuration > Network > NAT > Add 
Label
Description
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Enable Rule
Use this option to turn the NAT rule on or off.
Rule Name
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Classification
Select what kind of NAT this rule is to perform.
Virtual Server - This makes computers on a private network behind the Zyxel Device available to a public network outside the Zyxel Device (like the Internet).
1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the Zyxel Device translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use to access the server.
Many 1:1 NAT - If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses, select this to have the Zyxel Device translate the source IP address of each server’s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server. The private and public ranges must have the same number of IP addresses.
One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule.
Incoming Interface
Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface.
External IP
Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface.
any - Select this to use all of the incoming interface’s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface.
User Defined - Select this to manually enter an IP address in the User Defined field. For example, you could enter a static public IP assigned by the ISP without having to create a virtual interface for it.
Host address - select a host address object to use the IP address it specifies. The list also includes address objects based on interface IPs. So for example you could select an address object based on a WAN interface even if it has a dynamic IP address.
User Defined External IP
This field is available if External IP is User Defined. Type the destination IP address that this NAT rule supports.
External IP Subnet/Range
This field displays for Many 1:1 NAT. Select the destination IP address subnet or IP address range that this NAT rule supports. The external and internal IP address subnets or ranges must have the same number of IP addresses.
Internal IP
Select to which translated destination IP address this NAT rule forwards packets.
User Defined - this NAT rule supports a specific IP address, specified in the User Defined field.
HOST address - the drop-down box lists all the HOST address objects in the Zyxel Device. If you select one of them, this NAT rule supports the IP address specified by the address object.
User Defined Internal IP
This field is available if Internal IP is User Defined. Type the translated destination IP address that this NAT rule supports.
Internal IP Subnet/Range
This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The external and Internal IP address subnets or ranges must have the same number of IP addresses.
Port Mapping Type
Use the drop-down list box to select how many external destination ports this NAT rule supports for the selected destination IP address (External IP). Choices are:
Any - this NAT rule supports all the destination ports.
Port - this NAT rule supports one destination port.
Ports - this NAT rule supports a range of destination ports. You might use a range of destination ports for unknown services or when one server supports more than one service.
Service - this NAT rule supports a service such as FTP (see Object > Service > Service)
Service-Group - this NAT rule supports a group of services such as all service objects related to DNS (see Object > Service > Service Group)
Protocol Type
This field is available if Mapping Type is Port or Ports. Select the protocol (TCP, UDP, or Any) used by the service requesting the connection.
External Port
This field is available if Mapping Type is Port. Enter the external destination port this NAT rule supports.
Internal Port
This field is available if Mapping Type is Port. Enter the translated destination port if this NAT rule forwards the packet.
External Start Port
This field is available if Mapping Type is Ports. Enter the beginning of the range of external destination ports this NAT rule supports.
External End Port
This field is available if Mapping Type is Ports. Enter the end of the range of external destination ports this NAT rule supports.
Internal Start Port
This field is available if Mapping Type is Ports. Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet.
Internal End Port
This field is available if Mapping Type is Ports. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The external port range and the internal port range must be the same size.
Enable NAT Loopback
Enable NAT loopback to allow users connected to any interface (instead of just the specified Incoming Interface) to use the NAT rule’s specified External IP address to access the Internal IP device. For users connected to the same interface as the Internal IP device, the Zyxel Device uses that interface’s IP address as the source address for the traffic it sends from the users to the Internal IP device.
For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the Zyxel Device uses the LAN interface’s IP address as the source address for the traffic it sends to the LAN server.
If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface.
Security Policy
By default the security policy blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Security Policy link to configure a security policy to allow the NAT rule’s traffic to come in.
The Zyxel Device checks NAT rules before it applies To-Zyxel Device security policies, so To-Zyxel Device security policies, do not apply to traffic that is forwarded by NAT rules. The Zyxel Device still checks other security policies, according to the source IP address and internal IP address.
OK
Click OK to save your changes back to the Zyxel Device.
Cancel
Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists).