Configure Firewall 1-to-1 NAT
You can configure 1-to-1 NAT for any interface. For an external interface, the Real Base refers to the real (private) IP addresses of hosts on your network, and the NAT Base refers to the public IP addresses you want to associate with the private addresses. You can configure a 1-to-1 NAT mapping for a single IP address, a range of IP addresses, or an entire subnet.
Add the 1-to-1 NAT Mapping
- Select Network > NAT.
The NAT settings page appears.
- In the 1-to-1 NAT section, click Add.
The 1-to-1 NAT configuration page appears.
- In the Map Type drop-down list, select Single IP (to map one host), IP Range (to map a range of hosts), or IP Subnet (to map a subnet).
If you select IP Range, do not specify a subnet or range that includes more than 254 IP addresses. If you want to apply 1-to-1 NAT to more than 254 IP addresses, you must create more than one rule.
- Configure the Interface, NAT Base, and Real Base settings.
For more information, go to the Define a 1-to-1 NAT Rule section.
- Click Save.
- Add the NAT IP addresses to the appropriate policies.
- For a policy that manages outgoing connections, add the Real Base IP addresses to the From section of the policy configuration.
- For a policy that manages incoming connections, add the NAT Base IP addresses or Real Base IP addresses to the To section of the policy configuration.
In Fireware v12.4 or higher, you can edit a 1-to-1 NAT mapping in Fireware Web UI. To edit a 1-to-1 mapping, select the mapping and click Edit.
- Select Network > NAT.
The NAT Setup dialog box appears. - Click the 1-to-1 NAT tab.
- Click Add.
The Add 1-to-1 Mapping dialog box appears.
- In the Map Type drop-down list, select Single IP ( to map one host), IP Range (to map a range of hosts within a subnet), or IP Subnet (to map a subnet).
If you select IP Range, do not specify a subnet or range that includes more than 254 IP addresses. If you want to apply 1-to-1 NAT to more than 254 IP addresses, you must create more than one rule.
- In the Configuration section, configure the Interface, NAT Base, and Real Base settings.
For more information, go to the Define a 1-to-1 NAT Rule section.
- Click OK.
- Add the NAT IP addresses to the appropriate policies.
- For a policy that manages outgoing connections, add the Real Base IP addresses to the From section of the policy configuration.
- For a policy that manages incoming connections, add the NAT Base IP addresses or Real Base IP addresses to the To section of the policy configuration.
To edit a 1-to-1 mapping, select the mapping and click Edit.
Edit a Policy to use NAT
The example in About 1-to-1 NAT describes how 1-to-1 NAT can provide access to an email server. To complete this configuration, you must change the inbound SMTP policy settings to allow connections from the external network to the IP address 203.0.113.11. You must also change the outbound SMTP policy settings.
- Select Firewall > Firewall Policies .
- Add a new SMTP inbound policy, or modify an existing SMTP inbound policy.
- In the SMTP policy, adjacent to the From list, click Add.
The Add Member dialog box appears. - Select the alias Any-External and click OK.
- Adjacent to the To list, click Add.
The Add Member dialog box appears. - Select Host IPv4 from the drop-down list and type 203.0.113.11, which is the NAT base IP address in our example.
You could also specify the Real base IP address, which is 10.0.1.11 in our example, instead of the NAT base IP address.
- Click OK.
The SMTP policy page appears.
- To edit or create an outbound SMTP policy, repeat Steps 1–7, but specify different values for the From and To text boxes:
- From — 10.0.1.11
- To — Any-External
- Add a new SMTP inbound policy, or modify an existing SMTP inbound policy.
- Adjacent to the From list, click Add.
- Select the alias Any-External and click OK.
- Adjacent to the To list, click Add.
- Click Add Other.
The Add Member dialog box appears. - Select Host IPv4 from the drop-down list.
- In the Value text box, type 203.0.113.11, which is the NAT base IP address in our example.
You could also specify the Real base IP address, which is 10.0.1.11 in our example, instead of the NAT base IP address.
- Click OK twice.
- To edit or create an outbound SMTP policy, repeat Steps 1–8, but specify different values for the From and To text boxes:
- From — 10.0.1.11
- To — Any-External
Define a 1-to-1 NAT Rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your Firebox applies 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The NAT base is the first available IP address in the to range of addresses. The NAT base IP address is the address that the real base IP address changes to when the 1-to-1 NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT base. For NAT through an external interface, the NAT base is the public IP address.
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The Real base is the first available IP address in the from range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the specified interface, the 1-to-1 action is applied. For NAT through an external interface, the Real base is the private IP address.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the example above, the number of hosts to apply NAT to is 5.
For an example of how to use 1-to-1 NAT, go to 1-to-1 NAT Example.
For a demonstration of how to configure 1-to-1 NAT, see the Video Tutorial Getting Started with NAT.
1-to-1 NAT Through a Branch Office VPN
You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. You can also use 1-to-1 NAT in a VPN configuration when you want to masquerade your internal address scheme from the remote network.
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. If the network range on the remote network is the same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select the BOVPN virtual interface name in the 1-to-1 NAT configuration, and add a 1-to-1 NAT rule as described in the previous section.
For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NAT in the branch office VPN gateway and tunnel settings. Configure both gateways to use 1-to-1 NAT and create the VPN tunnel, but do not change the IP addresses of one side of the tunnel. You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network > NAT dialog box.
For an example of this type of configuration, go to Configure 1-to-1 NAT Through a Branch Office VPN Tunnel.