Contents

Related Topics

About 1-to-1 NAT

When you enable 1-to-1 NAT, your Firebox maps one or more private IP addresses to one or more public IP addresses. This allows you to make internal network resources like a mail server accessible on the internet.

You can apply 1-to-1 NAT to one IP address, a range of addresses, or a subnet. A 1-to-1 NAT rule always has precedence over dynamic NAT.

To connect to a computer located on a different interface that uses 1-to-1 NAT, you must use that computer’s public (NAT base) IP address. If this is a problem, you can disable 1-to-1 NAT and use static NAT.

Common Uses

Administrators typically use 1-to-1 NAT for an internal server with a private IP address that must be made public. For example, you can configure 1-to-1 NAT for a mail server on your internal network. Users on the internal network connect to the mail server with the private IP address. Users outside of your network connect to your mail server with the public IP address that you specify in the 1-to-1 NAT settings.

You can also use 1-to-1 NAT for a group of internal servers. For example, if you have five internal mail servers, you can use 1-to-1 NAT to map public IP addresses to the internal servers.

When you configure 1-to-1 NAT, you do not have to change the IP address of your internal servers.

Example — Single Server

This example explains the 1-to-1 NAT configuration for an internal mail server. The public IP address you use in the one-to-one NAT configuration must not be the same as the existing IP address of an Ethernet interface.

In this example:

  • Your Firebox has an external interface IP address of 203.0.113.100/24
  • One internal email server has the private IP addresses of 10.0.1.11
  • You want to associate the private IP address with a public IP address

You can add a 1-to-1 NAT rule to associate the private IP address of your internal mail server with a corresponding public IP address. To do this, select an unused public IP address on the same network subnet as the external interface. For example, the public IP address could be 203.0.113.11. Create a DNS record for the mail server to resolve to.

Then create a 1-to-1 NAT rule for traffic through the Eternal interface that maps the private (real) IP address of the mail server to the corresponding public IP address.

Real Base NAT Base

10.0.1.11

203.0.113.11

The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding IP addresses. When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship between the pair of addresses. 1-to-1 NAT also operates on traffic sent from networks the Firebox protects.

For more information about how to configure this example, see Configure Firewall 1-to-1 NAT

Example — Group of Servers

When you have a group of similar servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers. The public IP addresses you use in the one-to-one NAT configuration must not be the same as the existing IP address of an Ethernet interface.

In this example:

  • Your Firebox has an external interface IP address of 203.0.113.100/24
  • Five internal email servers have private IP addresses in the range 10.0.1.11 to 10.0.1.15
  • You want to associate these private IP addresses with five public IP addresses

You can add a 1-to-1 NAT rule to associate each of the private email servers with a corresponding public IP address. To do this, select five unused public IP addresses on the same network subnet as the external interface. For example, these public IP addresses could be in the range 203.0.113.11 to 203.0.113.15. Create DNS records for the email servers to resolve to.

Then create a 1-to-1 NAT rule for traffic through the Eternal interface that maps the IP range of five private (real) IP addresses of the email servers to the corresponding set of five public IP addresses.

Real Base NAT Base Range

10.0.1.11

10.0.1.12

10.0.1.13

10.0.1.14

10.0.1.15

203.0.113.11

203.0.113.12

203.0.113.13

203.0.113.14

203.0.113.15

5

The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding pairs of IP addresses. When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship between each pair of addresses in the two address ranges. 1-to-1 NAT also operates on traffic sent from networks the Firebox protects.

For another example, see 1-to-1 NAT Example

About 1-to-1 NAT and VPNs

When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. If the network range on the remote network is the same as on the local network, you can configure the VPN to use 1-to-1 NAT.

  • For a BOVPN virtual interface, you configure 1-to-1 NAT the same way as you would for any other interface. You can select the BOVPN virtual interface name as the interface for 1-to-1 NAT.
  • For a branch office VPN tunnel that is not a BOVPN virtual interface, you must configure 1-to-1 NAT in the branch office VPN gateway and tunnel settings. For more information, see Configure 1-to-1 NAT Through a Branch Office VPN Tunnel.

See Also

Video Tutorial: Getting Started with NAT.

Configure Firewall 1-to-1 NAT

Configure Policy-Based 1-to-1 NAT

Give Us Feedback     Get Support     All Product Documentation     Technical Search