Back to Knowledgebase
How do I configure destination NAT rules on my Barracuda Web Application Firewall to re-write the destination IP address of incoming traffic?
All Barracuda Web Application Firewalls, all firmware versions
Destination Network Address Translation (DNAT) is a technique used to re-write the destination IP address of incoming traffic. Consider you have a server inside your LAN, and you want users outside the network to access that server. This can be accomplished by configuring a DNAT rule that directs all the traffic passing through the Barracuda Web Application Firewall to the internal network.
For example, let's say that you have a mail server inside your LAN with the IP address 192.168.2.5 on port 25. Users outside the network cannot access the mail server through the Barracuda Web Application Firewall as this is a private IP address and hence non-routable. If you want to allow the users to access the mail server, you need to configure the DNAT rule for port 25 so that any traffic destined for port 25 on the WAN interface of the Barracuda Web Application Firewall is redirected to 192.168.2.5.
To configure DNAT we need to enable expert settings.
Specify the values for the following fields to add a DNAT rule:
* Pre DNAT Destination: Specifies the destination IP address before translation. This could be any of the IP addresses configured on the WAN interface.
* Pre DNAT Destination Mask: Specifies the associated netmask of the destination IP address.
* Destination Port: Specifies the destination port. You can either specify an individual port number (example: 80) or range of port numbers (example: 100-200). The default value of 1-65535 allows all the ports.
* Protocol: Specifies the type of incoming traffic used for the networks. Select the protocol from the drop-down list.
- Values - TCP, UDP, TCP/UDP and Any.
- Default Value - TCP/UDP
* Incoming Interface: Specifies the incoming interface through which the traffic enters into the Barracuda Web Application Firewall.
* Post DNAT Destination: Specifies the destination IP address (internal IP address) to which the packets are forwarded.
Ensure that you configure ACL rule along with the DNAT rule to allow the traffic to pass through the Barracuda Web Application Firewall via port 25 or the firewall drops the incoming packets.
Incoming ACL should be bound to the WAN interface and the source IP should be the server IP address (Post DNAT Destination) where the traffic is going to.
Link to this page: