A NAT firewall allows internet traffic to pass through the gateway if a device on the private network requested it. Any unsolicited requests or data packets are discarded, preventing communication with potentially dangerous devices.

If a tier-1 gateway has both SNAT and gateway firewall (GWFW) configured, and if the GWFW is not configured to be stateful, you must configure NO SNAT for the tier-1 gateway's advertised subnets. Otherwise, traffic to IP addresses in these subnets will fail.

In the example below, T1-A is the gateway and there is a SNAT rule configured that translates any traffic from its attached subnet to


Here are some traffic scenarios:
  1. Any traffic stream that is initiated from VM-A/ will get translated to as the source IP, regardless if gateway firewall is stateful, stateless, or disabled. When the traffic from VM-C or VM-B returns for that flow, they will have a destination IP of; T1-A will match it up with the SNAT flow and translate it correctly so that it flows back to VM-A. The SNAT rule works as expected, and there are no issues.
  2. VM-B/ initiates a traffic flow to VM-A/ Here, there’s a difference in behavior when T1-A has a stateful firewall versus when it has no firewall or stateless firewall. The firewall rules permit the traffic between VM-B and VM-A. To have this scenario, configure a NO-NAT rule for traffic matching to When this NO-NAT rule exists, then there will be no difference in behavior.
  3. If T1-A has stateful firewall, the T1-A firewall will create a firewall connection entry for the TCP SYN packet from VM-B/ to VM-A/ When VM-A replies, T1-A will match the reply packet with the stateful connection entry, and forward the traffic from VM-A/ to VM-B/ with no SNAT translation. This is because the firewall will skip the SNAT lookup when the return traffic matches up with a firewall connection entry.
  4. If T1-A has firewall disabled or stateless, the T1-A firewall will forward the TCP SYN packet from VM-B/ to VM-A/ without creating a firewall connection entry, because it’s either stateless or no firewall. When VM-A/ replies back to VM-B/, T1-A sees that there’s no firewall connection entry, performs SNAT on it, and translates the source IP from VM-A/ to When that reply gets back to VM-B, VM-B will drop the traffic because the source IP address is instead of VM-A/