Is it possible to set up Full Nat rule for an entire subnet?

Hi,

this is possible but looks very odd.

You have to do 2 Full NAT Rules.

1. 172 to 10 with DNAT and SNAT to a Range. 

2. 10 to 172 with DNAT and SNAT to a Range. 

This will do a 1:1 NAT. You can basically perform the same with /16 etc. 

Thanks for the reply. Yes I know this is an unusual setup but it's something we need to do.

I'm having trouble getting this done. Is there any documentation that I can follow?

Thanks. 

You will run into a special construct of NATing because XG will choose a random IP out of the Range you select. 

But it should work fine. You want to do 1:1 NAT isn´t it? 

I'm looking to do 1:Many NAT...

Something like this:

DNAT and SNAT 172.18.2.0/24 to 10.1.0.13/32

DNAT and SNAT 10.1.0.13/32 to172.18.2.0/24

Hi,

your second entry does not make sense?

Ian

Hi,

your second entry does not make sense?

Ian

Thanks for the reply Ian, I will take a step back and try to explain what we are trying to do.

We need to create a Telnet connection with a device that only accepts traffic and talks to a 10.1.x IP, the is going to be traffic coming from our Azure VNet from any IP in 172.18.3.0/24 range. 

How can we make a Full NAT translation from the 172.x IPs to the 10.x IP.

Thanks.

Hi Albert,

is the traffic both ways and if not where does it originate? If using telnet you would not need a 1:1 NAT. 

Ian

Correct traffic is both ways.

- 172.x initiates a session with 10.x

- 10.x sends files to 172.x

- 172.x runs clean up on 10.x

During that entire sequence the 10.x device can only talk to another 10.x device which is why we need the NAT translation.

I hope that makes sense.

Thanks again.

Yes, to a certain degree. So a 10 device never originates traffic?

In that case you only need a NAT from the 172 to 10 network. The XG firewall will handle the return traffic from the 10 network as part of the valid connections between the two devices.The firewall would not see the return traffic using the 10 to 172 NAT as valid.

Ian

Understood. I will give it a try and report back. Thanks again.