When the Barracuda Web Application Firewall is deployed in two-arm proxy mode, all traffic originating from the LAN to the Internet is denied by default. NAT rules must be configured to map internal source IP addresses to routable IP addresses.
The Barracuda Web Application Firewall allows you to configure NAT rules on the ADVANCED > Advanced Networking page.
Configure Source Network Address Translation Rule
- From the ADVANCED > Network Firewall page in the Source Network Address Translation section, specify values for the following:
- Pre SNAT Source - Specify the IP address/network of your backend web server that needs to be translated.
- Pre SNAT Source Mask - Specify the associated network mask for the source IP address/network.
- Protocol - Select TCP/UDP as the communication protocol to be used between the hosts.
- Destination Port - Specify the destination port/range of port numbers of the server to which the backend server wants to connect.
- Outgoing Interface - Select WAN as the outgoing interface for the traffic to pass through.
- Post SNAT Source - Specify the IP address to which your web server IP address should be mapped to access the Internet.
- Click Add.
If the Post SNAT Source is different from the WAN IP address of the Barracuda Web Application Firewall, you need to add the new IP address in the Custom Virtual Interfaces section on the ADVANCED > Advanced Networking page to associate it to the WAN interface.
NAT for LAN Servers (Auto SNAT)
You can configure auto-SNAT for LAN servers to reach the Internet directly without any NAT or ACL rule being configured. Go to the ADVANCED > Advanced Networking page to configure NAT for LAN servers.
Configure NAT for LAN Servers
- Go to the ADVANCED > Advanced Networking page.
- In the Network Configuration section, select System as Network Group and then select the Configuration tab.
- In the NAT for LAN Servers section, set Enable SNAT for LAN Servers to Yes.
- Click Save.
When Enable SNAT for LAN Servers is set to Yes, all traffic originating from LAN to go out on the WAN is automatically NATed with the WAN interface IP address. The traffic originating from any subnet that belongs to LAN is also NATed. In this case, a user is not required to configure SNAT and ACL rules for the Real Servers because the Barracuda Web Application Firewall automatically NATs and allows the LAN traffic to go out to the Internet.
For more granular access control on the traffic originating from the LAN going out to the Internet, set Enable SNAT for LAN Servers to No and manually configure the SNAT rule.