A NAT firewall allows internet traffic to pass through the gateway if a device on the private network requested it. Any unsolicited requests or data packets are discarded, preventing communication with potentially dangerous devices.
If a tier-1 gateway has both SNAT and gateway firewall (GWFW) configured, and if the GWFW is not configured to be stateful, you must configure NO SNAT for the tier-1 gateway's advertised subnets. Otherwise, traffic to IP addresses in these subnets will fail.
In the example below, T1-A is the gateway and there is a SNAT rule configured that translates any traffic from its attached subnet 192.168.1.0/0 to 10.1.1.1.
- Any traffic stream that is initiated from VM-A/192.168.1.1 will get translated to 10.1.1.1 as the source IP, regardless if gateway firewall is stateful, stateless, or disabled. When the traffic from VM-C or VM-B returns for that flow, they will have a destination IP of 10.1.1.1; T1-A will match it up with the SNAT flow and translate it correctly so that it flows back to VM-A. The SNAT rule works as expected, and there are no issues.
- VM-B/220.127.116.11 initiates a traffic flow to VM-A/192.168.1.1. Here, there’s a difference in behavior when T1-A has a stateful firewall versus when it has no firewall or stateless firewall. The firewall rules permit the traffic between VM-B and VM-A. To have this scenario, configure a NO-NAT rule for traffic matching 192.168.1.0/24 to 18.104.22.168/24. When this NO-NAT rule exists, then there will be no difference in behavior.
- If T1-A has stateful firewall, the T1-A firewall will create a firewall connection entry for the TCP SYN packet from VM-B/22.214.171.124 to VM-A/192.168.1.1. When VM-A replies, T1-A will match the reply packet with the stateful connection entry, and forward the traffic from VM-A/192.168.1.1 to VM-B/ 126.96.36.199 with no SNAT translation. This is because the firewall will skip the SNAT lookup when the return traffic matches up with a firewall connection entry.
- If T1-A has firewall disabled or stateless, the T1-A firewall will forward the TCP SYN packet from VM-B/188.8.131.52 to VM-A/192.168.1.1 without creating a firewall connection entry, because it’s either stateless or no firewall. When VM-A/192.168.1.1 replies back to VM-B/184.108.40.206, T1-A sees that there’s no firewall connection entry, performs SNAT on it, and translates the source IP from VM-A/192.168.1.1 to 10.1.1.1. When that reply gets back to VM-B, VM-B will drop the traffic because the source IP address is 10.1.1.1 instead of VM-A/192.168.1.1.