Screen OS

I have two separate ssg20s each with an eth interface in route mode. neither device has any dip pools configured.

noticed that one of the devices is nating but the other isn't.

the only difference between them is that the device that isn't nating has an external modem connected to it.

does this config automatically change the operation of interfaces in route mode?

the modem (or dsl router) has a number or ports forwarding to the firewall, could that be a reason why it isn't nating?

Hi,

 

The egress interface mode plays no role. If the ingress interface is running in the NAT mode, the source-NAT is perfomed or not, depending on the source and destination zones and their mapping to the virtual routers.

As described in KB4761:

 

Interface based NAT only works From and To the following zones in the Trust-VR:

• Trust zone to Untrust zone
• Trust zone to DMZ Zone

Traffic From and To other zones will be routed.

The behavior for interface NAT with the Untrust-VR is different.  If the destination zone is in the Untrust-VR, then NAT will take place from ANY zone.

 

I recommend to never use interface based NAT.

I do not understand what you mean by egress or ingress 'interface' modes. can you explain?

also, why do you recommend not to use interface based NAT?

Hi,

 

The ingress interface is the interface the packet comes in. The egress interface is the interface the packet leaves the firewall through. If the packet's source IP is natted on the egress interface depends on the mode of the ingress interface, it's zone and VR. This type of NAT is very unflexible. Also, you should always keep the nat rules in mind, which are described in the KB4761. Besides, you will not be able to disable NAT for certain policies.

The preferred way is to use the route mode on all interfaces and configure the src-NAT in the policies. You need a single mouse click to enable src-NAT to the egress interface IP.