To configure 1-to-1 NAT for any interface:
For more information, see the subsequent Define a 1-to-1 NAT rule section.
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers described in About 1-to-1 NAT, we must configure the SMTP policy to allow SMTP traffic. To complete this configuration, you must change the policy settings to allow traffic from the external network to the IP address range 10.1.1.1–10.1.1.5.
To connect to a computer located on a different interface that uses 1-to-1 NAT, you must use that computer’s public (NAT base) IP address. If this is a problem, you can disable 1-to-1 NAT and use static NAT.
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also configure:
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTM device applies 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied to the external interface.
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The NAT base is the first available IP address in the to range of addresses. The NAT base IP address is the address that the real base IP address changes to when the 1-to-1 NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT base. In our example above, the NAT base is 203.0.113.11.
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The Real base is the first available IP address in the from range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the specified interface, the 1-to-1 action is applied. In the example above, the Real base is 10.0.1.11.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the example above, the number of hosts to apply NAT to is 5.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. If the network range on the remote network is the same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select the BOVPN virtual interface name in the 1-to-1 NAT configuration, and add a 1-to-1 NAT rule as described in the previous section.
For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NAT in the branch office VPN gateway and tunnel settings. To do this, you configure both gateways to use 1-to-1 NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel. You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network > NAT dialog box. For an example of this type of configuration, see Use 1-to-1 NAT Through a Branch Office VPN Tunnel.
About 1-to-1 NAT
Configure Policy-Based 1-to-1 NAT