[ATP/FLEX] How to configure a NAT Rule (Virtual Server) on Nebula?

Zyxel_James
Zyxel_James Posts: 663  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
edited February 7 in Networking

The Virtual Server feature is able to publish internal servers to the internet which allows you to access services in the internal network behind Firewall. This article will explain step-by-step how to configure a NAT rule (Virtual Server), also known as Port Forwarding, on your Nebula firewalls. By following these steps you are able to set up a port forwarding (NAT-rule) that would allow you to access services in the internal network behind ATP and USG FLEX on nebula from the Internet. 


In this example, WAN1 IP is mapped to HFS server 1 and WAN2 is mapped to HFS server 2.

Configuration steps

Go to Configure > Firewall > NAT and create two rules for virtual servers.

Uplink: Select the WAN interface you want to map from.

Public IP/Port: Input the address/port that receives the packets

LAN IP/Port: Input the address/port that you want to map to.

Allow Remote IPs: It's equal to a whitelist. You can fill in a "," syntax for adding multiple IP addresses, or /24 for a range of IP addresses. “Any” means all IP addresses are allowed.


Note: You don't need to create a firewall rule on Nebula as you did in on-premises mode. It will be automatically created while creating the NAT rules.

To check the automatically created firewall rules, please input the CLI command "debug sdwan show firewall running-config" and the rules will be named after "SN_port_forwarding_IndexNumber".

If you want to block an unfriendly IP address or Geo IP instead of an allow list, you can create a security policy to block them.


Test Result

Access the local HFS server by http://10.214.48.26:4430 and http://10.214.30.66:4430.




If you configured NAT ports correctly but is still unable to access your server through public IP address, please check if your Nebula firewall is behind another NAT router or firewall. On nebula, you can go to Devices > Firewall > WAN status to check if there are two IP addresses in one wan interface. If Nebula firewall is behind NAT, you can follow the guide in this article.
Models: 
ATP Series: ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800
USG FLEX Series: USG FLEX 50, USG FLEX 50W, USG FLEX 100, USG FLEX 100W, USG FLEX 200, USG FLEX 500, USG FLEX 700, USG20-VPN, USG20W-VPN