Configure 1-to-1 NAT

Applies To: Cloud-managed Fireboxes

1-to-1 NAT rules are often used to map IP addresses on one network and IP addresses on a different network (north-south traffic). You can also use 1-to-1 NAT rules to map different IP addresses within your own network (east-west traffic).

You can configure 1-to-1 NAT for any interface and apply a 1-to-1 NAT rule to one IP address, a range of addresses, or a subnet. A 1-to-1 NAT rule always has precedence over dynamic NAT.

When you configure 1-to-1 NAT, IP addresses used for 1-to-1 NAT cannot be used for other purposes. For example, you cannot also use 1-to-1 NAT IP addresses for inbound traffic or Firebox features such as VPNs.

1-to-1 NAT and Policy Settings

By default, all new firewall policies use 1-to-1 NAT rules. In the advanced settings of a policy, you can enable or disable 1-to-1 NAT. For information about how to configure 1-to-1 NAT settings for a policy, go to Configure 1-to-1 NAT in a Firewall Policy.

Configure 1-to-1 NAT Rules

In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You also define these settings:

Network

The external or internal interface on which 1-to-1 NAT is applied. Your Firebox applies 1-to-1 NAT for packets received in, and sent out of, the interface.

Number of Hosts (IP range only)

The number of IP addresses in a range to which the 1-to-1 NAT rule applies. When 1-to-1 NAT is applied, the first Real Base IP address is translated to the first NAT Base IP address. The second Real Base IP address in the range is translated to the second NAT Base IP address, and so on. This repeats until the number of hosts to NAT is reached. You can add up to a maximum of 254 hosts.

NAT Base

When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The NAT Base is the first available IP address in the to range of addresses. The NAT Base IP address is the address that the Real Base IP address changes to when the Firebox applies 1-to-1 NAT. You cannot use the IP address of an existing Ethernet interface as your NAT Base. For NAT through an external interface, the NAT Base is the public IP address.

To connect to a computer on a different interface that uses 1-to-1 NAT, you must use the public (NAT Base) IP address of that computer. Alternatively, you can disable 1-to-1 NAT and use static NAT. For more information, go to Configure Firebox Static NAT Actions.

Real Base

When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The Real Base is the first available IP address in the from range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you apply the 1-to-1 NAT rule. When packets from an endpoint with a Real Base address go through the specified interface, the Firebox applies the 1-to-1 NAT action. For NAT through an external interface, the Real Base is the private IP address.

For an external interface, the Real Base refers to the real (private) IP addresses of hosts on your network, and the NAT Base refers to the public IP addresses you want to associate with the private addresses.

Do not enable 1-to-1 NAT if you have only one public IP address or a small number of public IP addresses. 1-to-1 NAT does not work if you have only one public IP address. If you have only a few public IP addresses, we recommend static NAT (SNAT) to better use your public IP addresses. For more information, go to Configure Firebox Static NAT Actions.

To configure a 1-to-1 NAT rule, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.
  3. Click Device Configuration.
  4. From the Networking section, click the NAT tile.
    The NAT page opens.

Screen shot of the NAT configuration page

  1. In the 1-to-1 NAT section, click Add 1-to-1 NAT.
    The Add Rule dialog box opens.

Screen shot of the Add Rule page

  1. In the Map Type drop-down list, select one of these options:
    • Single IP — Map one host.
    • IP Range — Map a range of hosts.
    • IP Subnet — Map a subnet.

    If you select IP Range, do not specify a subnet or range with more than 254 IP addresses. If you want to apply 1-to-1 NAT to more than 254 IP addresses, you must create more than one 1-to-1 NAT rule.

Screen shot of Add Rule page with all types

  1. Configure the Network, NAT Base, and Real Base settings. For more information, go to the Define a 1-to-1 NAT Rule section of this topic.

Screen shot of Add Rule page with types selected

  1. In Number of Hosts, type a value (IP range only).
  2. Click Add.
  3. To save configuration changes to the cloud, click Save.

Screen shot of NAT page with network added

  1. Add the NAT IP addresses to the appropriate policies. For more information, go to Configure 1-to-1 NAT in a Firewall Policy.

Related Topics

Configure Dynamic NAT

About Firebox Networking Settings