About 1-to-1 NAT

When you enable 1-to-1 NAT, your XTM device changes the routes for all incoming and outgoing packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always has precedence over dynamic NAT.

1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You do not have to change the IP address of your internal servers. When you have a group of similar servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers.

To understand how to configure 1-to-1 NAT, we give this example:

Company ABC has a group of five privately addressed email servers behind the trusted interface of their XTM device. These addresses are:

10.0.1.1

10.0.1.2

10.0.1.3

10.0.1.4

10.0.1.5

Company ABC selects five public IP addresses from the same network address as the external interface of their XTM device, and creates DNS records for the email servers to resolve to.

These addresses are:

203.0.113.1

203.0.113.2

203.0.113.3

203.0.113.4

203.0.113.5

Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding pairs of IP addresses. The relationship looks like this:

10.0.1.1 <--> 203.0.113.1

10.0.1.2 <--> 203.0.113.2

10.0.1.3 <--> 203.0.113.3

10.0.1.4 <--> 203.0.113.4

10.0.1.5 <--> 203.0.113.5

When the 1-to-1 NAT rule is applied, your XTM device creates the bi-directional routing and NAT relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NAT also operates on traffic sent from networks that your XTM device protects.

About 1-to-1 NAT and VPNs

When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. If the network range on the remote network is the same as on the local network, you can configure the VPN to use 1-to-1 NAT.

See Also

Configure Firewall 1-to-1 NAT

Configure Policy-Based 1-to-1 NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base