Configure Firewall 1-to-1 NAT

To configure 1-to-1 NAT for any interface:

  1. Select Network > NAT.
    The NAT settings page appears.

Sscreen shot of the NAT settings page

  1. In the 1-to-1 NAT section, click Add.
    The 1-to-1 NAT configuration page appears.

Sscreen shot of the 1-to-1 NAT configuration page

  1. In the Map Type drop-down list, select Single IP (to map one host), IP Range (to map a range of hosts), or IP Subnet (to map a subnet).
    If you select IP Range or IP Subnet, do not specify a subnet or range that includes more than 256 IP addresses. If you want to apply 1-to-1 NAT to more than 256 IP addresses, you must create more than one rule.
  1. Configure the settings in the Configuration section.

For more information, see the subsequent Define a 1-to-1 NAT rule section.

  1. Click Save.
  1. Add the NAT IP addresses to the appropriate policies.

In the previous example, where we used 1-to-1 NAT to give access to a group of email servers described in About 1-to-1 NAT, we must configure the SMTP policy to allow SMTP traffic. To complete this configuration, you must change the policy settings to allow traffic from the external network to the IP address range–

  1. Add a new policy, or modify an existing policy.
  2. Adjacent to the From list, click Add.
  3. Select the alias Any-External and click OK.
  4. Adjacent to the To list, click Add.
  5. To add one IP address at a time, select Host IP from the drop-down list and type the IP address in the adjacent text box. Click OK.
  6. Repeat Steps 3–4 for each IP address in the NAT address range.
    To add several IP addresses at once, select Host Range in the drop-down list. Type the first and last IP addresses from the NAT Base range and click OK.

To connect to a computer located on a different interface that uses 1-to-1 NAT, you must use that computer’s public (NAT base) IP address. If this is a problem, you can disable 1-to-1 NAT and use static NAT.

Define a 1-to-1 NAT Rule 

In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also configure:


The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTM device applies 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied to the external interface.

NAT base

When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The NAT base is the first available IP address in the to range of addresses. The NAT base IP address is the address that the real base IP address changes to when the 1-to-1 NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT base. In our example above, the NAT base is

Real base

When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The Real base is the first available IP address in the from range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the specified interface, the 1-to-1 action is applied. In the example above, the Real base is

Number of hosts to NAT (for ranges only)

The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the example above, the number of hosts to apply NAT to is 5.

For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.

1-to-1 NAT Through a Branch Office VPN

You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. If the network range on the remote network is the same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select the BOVPN virtual interface name in the 1-to-1 NAT configuration, and add a 1-to-1 NAT rule as described in the previous section.

For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NAT in the branch office VPN gateway and tunnel settings. To do this, you configure both gateways to use 1-to-1 NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel. You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network > NAT dialog box. For an example of this type of configuration, see Use 1-to-1 NAT Through a Branch Office VPN Tunnel.

See Also

About 1-to-1 NAT

Configure Policy-Based 1-to-1 NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base