An FW matches packets with NAT policies in the top-down sequence. If the packets match a NAT policy, the FW processes the packets based on the policy and stops matching the packets with other NAT policies.
Specify a private address (source address) in a security policy on an FW. The private address is the one that is used before source NAT is performed.
The FW matches packets with a security policy before enforcing a NAT policy. If the packets match the security policy, the FW performs source NAT for the packets. If the packets do not match the security policy, the FW discards the packets.
Specify a private address (destination address) in a security policy on an FW. The private address is the one used after NAT Server is performed.
The FW matches packets with server-map entries before enforcing a security policy. After the FW translates destination addresses based on the server-map entries, the FW processes the packets based on the security policy.
