Interface NAT and Policybased NAT - difference on 5GT and NS-25

  • Hello,

    I’ve some trouble with Interface-NAT. I put interface eth1 in nat mode. Interface eth4 is the interface in the untrust zone. I think that all traffic from trust (int eth1) to untrust should be processed with nat and the source IP should change to the IP set up on int eth4 in the untrust zone if the untrust-zone is the destination for that traffic.

    I’m wondering about that traffic to any other zone i.e dmz is natted.

    And secondly the same configuration works perfectly on a 5GT, everthing inculding nat is fine on that device.

    Has anyone an idea why the NS-25 is working different and how to fix the config?

    best regards


  • Engineer

    You have work with 5GT only when using home/work zone. Anyway you should avoid using NAT mode. This mode is still present for backward compatibility but is not recommended. You have some limitation with NAT capabilities and also some behavior change in the packet flow.

  • Hello mindwise,

    OK, thanks a lot! Yes, you’re right.

    The problem in this case is the different DEFAULT zone naming scheme. The DEFAUT trust zone on 5GT is named work and on a NS-25 it is named trust. NAT can only be used between DEFAULT zones. I also found this in the Concepts and Examples in Chapter Interfaces.

    The only thing I’ve to do is to rename the zone work to trust.

    I’m going on with testing now.

    best regards


  • Actually, interface based nat is also " influenced" by which virtual routers you are using but lets assume screenos5.x

    1 virtual-router:

    Interface based nat will ONLY happen if:

    “Ingress interface in NAT mode and in the DEFAULT trust zone” And the " Egress interface is in the default Untrust zone" NAT will source translate to the egress interface ip (IF NO MIP exists for that host !!)

    In this case, translation to the DMZ does not happen ( Unless you are using a certain 4.x release of scrnos)

    Hope this clarifies