Topology --

1. Traffic Flow for Source NAT (SNAT)

When an internal user accesses the internet, the firewall performs Source NAT to translate the private IP into a public IP.

Traffic Flow Order:

1. Routing Decision (Pre-NAT)

   • The firewall checks the original source IP and destination IP to determine the appropriate routing table entry.

2. Security Policy Lookup (Pre-NAT)

   • The firewall checks if there is an existing rule allowing traffic from the original source IP to the destination.

3. Source NAT (SNAT)

   • The firewall translates the internal source IP (e.g., 192.168.1.10) to the configured public IP (203.0.113.10).

4. Routing Decision (Post-NAT)

   • The firewall now performs a new routing lookup based on the NATed source IP (203.0.113.10).

5. Packet Sent to Destination

   • The packet is sent to the destination on the internet.

6. Return Traffic

   • The return packet from the public server is received by the firewall, which checks the NAT table to map it back to the original private source IP.

   • The firewall de-NATs the public IP (203.0.113.10) back to the original private IP (192.168.1.10).

7. Routing Decision (Post-De-NAT)

   • The firewall performs another routing lookup to forward the packet back to the internal network.

2. Traffic Flow for Destination NAT (DNAT)

When external users access an internal service using a public IP, the firewall performs Destination NAT to translate the public IP into the internal private IP.

Traffic Flow Order:

1. Routing Decision (Pre-NAT)

   • The firewall checks the routing table based on the original destination IP (e.g., 203.0.113.100).

   • Since the public IP belongs to the firewall, the packet is processed.

2. Destination NAT (DNAT)

   • The firewall translates the destination IP from the public IP (203.0.113.100) to the internal private IP (192.168.1.100).

3. Security Policy Lookup (Post-NAT)

   • The firewall checks if there is a security rule allowing traffic from the original source IP to the new destination IP (192.168.1.100).

4. Routing Decision (Post-NAT)

   • The firewall now determines how to forward traffic based on the translated private destination IP.

5. Packet Sent to Internal Server

   • The packet is sent to the actual internal server (192.168.1.100).

6. Return Traffic

   • The return packet from the internal server is received by the firewall.

   • The firewall looks up the NAT table and translates the private IP back to the public IP (203.0.113.100).

7. Routing Decision (Post-De-NAT)

   • The firewall forwards the packet back to the original external source.