Reflection NAT


This document describes how to configure Reflection NAT. Reflection NAT is a mechanism that allows you to secure any Internet Site using the Acreto Platform. Technically, to achieve this, we need to:

  1. Let the user redirect the traffic to the Acreto-allocated IP address by setting correct DNS records,
  2. On the Acreto side the traffic headers sent by the user are modified:
  3. The source IP address is changed to Acreto-allocated IP address
  4. The destination IP address is changed to the Internet site’s IP address
  5. On the Internet Site side all the incoming traffic is firewalled, with the exception of what comes from the Acreto-allocated IP address.

You can find more about this technique on the Internet, for example at

Securing website scenario

In this example, we will protect the website, hosted on a server with IP In order to achieve this, we will do the following:

Configuration of Acreto Platform

Create Address object for remote Server / Application to be Protected

  1. Log in to Acreto Platform at
  2. Go to Elements > Objects and click Add new object
  3. Select Address
  4. Fill fields:
    1. Name - Server
    2. Address -
    3. Category - Application
  5. Press “Save”

Allocate IP address for remote Server / Application to be Protected

  1. Go to Elements > Objects and click Add new object
  2. Select Allocated IP
  3. Fill fields:
    1. Name - Public IP
  4. Press “Save”

Create Reflection NAT Rule

  1. Go to Policies > Address Translation
  2. Press “Add New Translation Policy”
  3. Fill the fields:
    1. Name: KB ACRETO RNAT
    2. If communications attributes match this:
      1. Source - select “Any Internet IP”
      2. Destination - select previously allocated IP - “ Public IP”
    3. Then translate to the following:
    4. Source - select “ Public IP”
    5. Destination - select " Server”
  4. Click “Save”

Ensure that NAT policy exists

  1. Go to Policies > Address Translations
  2. Find the rule you have just created and note the IP address written below " Public IP "
    1. in our case, it is

Create security policy to add threat management

  1. Go to Policies > Security
  2. Click “Add New Policy”
  3. Create a new policy that will allow traffic to ACRETO:
    1. Name: KB ACRETO Protection
    2. Source: any
    3. Service: select TCP/80 (HTTP)
    4. Application: any
    5. Destination: select " Server”
    6. Action: Allow
    7. Threat protection - enabled
  4. Press “Save”
  5. Commit your changes

Configuration of DNS records

In your DNS server, create or change DNS record for to point to, for example:

secure   IN   A

Note: In the future, we will use CNAME records instead of A records.

Note 2: For testing, you can put this name into your host’s file (/etc/hosts on Linux/Mac) instead:

Configuration of ACRETO web server

On ACRETO web server, configure the firewall to allow traffic to TCP ports 80 and 443 from ACRETO Public IP, in our example -


Go to - you should see the ACRETO website