Traffic intended for DNAT processing is selected via a nat classifier. The nat classifier has configurable protocol and destination ports. The inclusion of the classifier in the NAT policy is the trigger for performing DNAT. The configuration of the nat classifier determines which of the following is true:
A specific traffic defined in the match criteria is DNATed while the rest of the traffic is transparently passed through the nat classifier.
A specific traffic defined in the match criteria is transparently passed through the nat classifier while the rest of the traffic is DNATed.
Classifier cannot drop traffic (no action drop). However, a non-reachable destination IP address in DNAT causes traffic to be black-holed.