Deploying NAT-rules on a USG is a very commonly asked request in our support tickets. Hence, we created this step by step guide (including video) by setting up a NAT-rule towards a NAS-device placed in the USG's LAN. So this article will show you how to setup a NAT on a USG.
1. Log in to the device to start the configuration
2. Navigate to Configuration > Network > NAT
- create a new rule by clicking on "Add"
- create a rule name and select the port mapping type to "virtual server"
- select your incoming interface to WAN
Incoming interface - the interface that the traffic is coming from
Source IP - From where the users are connecting from (e.g. trusted IPs)
External IP - the public IP of the wan interface
Internal IP - The IP address of the server where you want to forward the ports to
Port Mapping Type
any - all traffic on will be forwarded
Service - Select a service-object (a protocol)
Service-Group - Select a service-group object (a group of protocols)
Port- Select a port that needs to be forwarded
Ports- Select a port range that needs to be forwarded
External vs. Internal ports
The external port is the port that the external user is using to get to the firewall on WAN
The internal port is the port that is forwarded internally on LAN
This can both be a 1:1 translation (port 443 to 443) or port 4433 to 443 for example
- add two new objects by clicking on "create new object" > "address"
- add your WAN and NAS IP
- set the created objects as external and internal IP
- set the port mapping type to port and configure them (i.e. port 50000 - please see video for reference)
- check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)
3. Create a new service object by navigating to Configuration > Object > Service.
Add port 50000 and name it as desired:
4. Navigate to Configuration > Security Policy > Policy Control and add a new rule:
From WAN to LAN, Destination NAS IP, Service HTTP_NAS, Action allow
5. Save the rule and now if possible, test the NAT rule from a different remote network. You should have access to your NAS via WAN.
Open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.
Example for our WAN IP https://[yourWAN-IP]:50000
For a more detailed description please see our video: