To configure Destination NAT for Traffic from Internet to LAN (Outside to Inside)

Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.
 

---

Instructions

There are two option to execute changes:

Option 1: Configure Static NAT 
However, if customer does not want to expose all ports, we need to use Dynamic NAT

Option 2 : Configure Dynamic NAT
The recommendation is to configure dynamic outbound NAT rule for internet service with port forwarding enabled for required ports

WAN Links >>Firewall >> NAT >>Dynamic NAT (Do not use Destination NAT option)
Select the direction as Outbound

Inside IP Address: should be the Server/Host IP which will be receiving the traffic from Internet/External




In the above port forwarding rule, we are translating the IP address of the traffic to 172.16.187.11
In this case, users need to initiate traffic to the Interface IP on TCP port 80
Traffic from outside, arriving on the respective WAN Link (eg: Internet) on TCP port 80 with the corresponding interface IP will be translated to 172.16.187.11

Example:
WAN link interface IP is 1.1.1.1. User will initiate traffic to 1.1.1.1 on TCP port 80
The destination address of this packet will be translated to 172.16.187.11

This configuration will do NAT for all outgoing internet connections and will also allow incoming connections from Internet to LAN on specified ports configured under port forwarding rules 

 

Steps to configure Destination NAT (Outside to Inside)

Refer to this document for configuration of "Dynamic NAT with port forwarding"
https://docs.citrix.com/en-us/NetScaler-sd-wan/9-3/stateful-firewall-nat-support/network-address-translation/dynamic-nat-with-port-forwarding-configuration.html