SecureGUARD GmbH

Technical Blog for SecureGUARD Products and Solutions

NAT Rules and NAT Modes

in this post I want to give a deep-dive into the NAT capabilities of EPS.

Within the NAT Rules Module of the SecureGUARD Management interface you are able to create NAT rules to mask:

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • and combinations of the previous

Overview of the "Add NAT Configuration"

There are four different NAT modes:

  • NAT
  • HideNAT
  • RouteBasedHideNAT
  • ProxyNAT



The NAT mode NAT is used to statically translate a specific IP-address/port combination to another combination.

Use-case example

Make an internal terminal server (accessible via Port 3389) available from an external network to allow access this service.

Configuration example

  • Network Conditions
    • FROM: External
    • TO: Localhost
  • Protocol Conditions: RDP
  • Network Translation
    • Translation Destination: target terminal server

NAT Mode: Hide NAT

The NAT mode Hide NAT is used to mask source IP-Addresses. The source port is replaced with a dynamically assigned port number.

Use-case example

Mask IP-Addresses of internal client when accessing external ressources.

Configuration example

  • Network Conditions
    • FROM: internal Network or IP-address range
    • TO: External Network
  • Protocol Conditions: All Traffic
  • Network Translation
    • Translation Source: external IP address of the operating system environment EPS is installed on.

NAT Mode: RouteBasedHideNAT

The NAT mode RouteBasedHideNAT is an extended version of Hide NAT which can be used to determine the adapters IP-address automatically.

RouteBasedHideNAT supports also DHCP activated adapters.

Use-case example

Mask the IP address of internal clients when using a DHCP assigned IP address from your ISP.


Configuration example

  • Network Condition
    • FROM: Internal network or IP-address range
    • TO: External network
  • Protocol Condition: Any Protocol


NAT Mode: Proxy NAT

The NAT Mode Proxy NAT is used to enable transparent web proxy capabilities. It redirects incoming http traffic to web proxy. This type of NAT rules is automatically created if you configure a Web Access Rule with either "Proxy and Transparent" or "Transparent" rule mode selected.

Add comment