Follow

Should I use pre-NAT or post-NAT addresses/ports in Firewall rules?

Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk