About 1-to-1 NAT
When you enable 1-to-1 NAT, your Firebox maps one or more private IP addresses to one or more public IP addresses. This allows you to make internal network resources like a mail server accessible on the internet.
You can apply 1-to-1 NAT to one IP address, a range of addresses, or a subnet. A 1-to-1 NAT rule always has precedence over dynamic NAT.
To connect to a computer located on a different interface that uses 1-to-1 NAT, you must use that computer’s public (NAT base) IP address. If this is a problem, you can disable 1-to-1 NAT and use static NAT.
On most networks, we recommend that you configure SNAT rather than 1-to-1 NAT. The combination of SNAT and DNAT is more flexible than 1-to-1 NAT and can do everything that 1-to-1 NAT can do. For information about SNAT, go to About SNAT.
If you configure 1-to-1 NAT, be aware that IP addresses used for 1-to-1 NAT cannot be used for other purposes. For example, you cannot also use 1-to-1 IP addresses for inbound traffic or for Firebox features such as VPNs, Access Portal, or Support Access.
Common Uses
Consider a situation in which you fully dedicate public IP addresses to specific internal devices, but these public IP addresses will not be available for any other Firebox functions. Administrators typically use 1-to-1 NAT for an internal server with a private IP address that must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal devices. You do not need to change the IP addresses of your internal devices.
For example, you can configure 1-to-1 NAT for a mail server on your internal network. Users on the internal network connect to the mail server with the private IP address. Users outside of your network connect to your mail server with the public IP address that you specify in the 1-to-1 NAT settings.
You can also use 1-to-1 NAT for a group of internal servers. For example, if you have five internal mail servers, you can use 1-to-1 NAT to map public IP addresses to the internal servers.
When you configure 1-to-1 NAT, you do not have to change the IP address of your internal servers.
Do not enable 1-to-1 NAT if you have only one public IP address or a small number of public IP addresses. 1-to-1 NAT does not work if you have only one public IP address. If you have only a few public IP addresses, we recommend SNAT to better utilize your public IP addresses.
Example — Single Server
This example explains the 1-to-1 NAT configuration for an internal mail server. The public IP address you use in the one-to-one NAT configuration must not be the same as the existing IP address of an Ethernet interface.
In this example:
- Your Firebox has an external interface IP address of 203.0.113.100/24
- One internal email server has the private IP addresses of 10.0.1.11
- You want to associate the private IP address with a public IP address
You can add a 1-to-1 NAT rule to associate the private IP address of your internal mail server with a corresponding public IP address. To do this, select an unused public IP address on the same network subnet as the external interface. For example, the public IP address could be 203.0.113.11. Create a DNS record for the mail server to resolve to.
Then create a 1-to-1 NAT rule for traffic through the External interface that maps the private (real) IP address of the mail server to the corresponding public IP address.
Real Base | NAT Base |
---|---|
10.0.1.11 |
203.0.113.11 |
The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding IP addresses. When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship between the pair of addresses. 1-to-1 NAT also operates on traffic sent from networks the Firebox protects.
For more information about how to configure this example, go to Configure Firewall 1-to-1 NAT
Example — Group of Servers
When you have a group of similar servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers. The public IP addresses you use in the one-to-one NAT configuration must not be the same as the existing IP address of an Ethernet interface.
In this example:
- Your Firebox has an external interface IP address of 203.0.113.100/24
- Five internal email servers have private IP addresses in the range 10.0.1.11 to 10.0.1.15
- You want to associate these private IP addresses with five public IP addresses
You can add a 1-to-1 NAT rule to associate each of the private email servers with a corresponding public IP address. To do this, select five unused public IP addresses on the same network subnet as the external interface. For example, these public IP addresses could be in the range 203.0.113.11 to 203.0.113.15. Create DNS records for the email servers to resolve to.
Then create a 1-to-1 NAT rule for traffic through the Eternal interface that maps the IP range of five private (real) IP addresses of the email servers to the corresponding set of five public IP addresses.
Real Base | NAT Base | Range |
---|---|---|
10.0.1.11 10.0.1.12 10.0.1.13 10.0.1.14 10.0.1.15 |
203.0.113.11 203.0.113.12 203.0.113.13 203.0.113.14 203.0.113.15 |
5 |
The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding pairs of IP addresses. When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship between each pair of addresses in the two address ranges. 1-to-1 NAT also operates on traffic sent from networks the Firebox protects.
For another example, go to 1-to-1 NAT Example
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same private network address. If the network range on the remote network is the same as on the local network, you can configure the VPN to use 1-to-1 NAT.
- For a BOVPN virtual interface, you configure 1-to-1 NAT the same way as you would for any other interface. You can select the BOVPN virtual interface name as the interface for 1-to-1 NAT.
- For a branch office VPN tunnel that is not a BOVPN virtual interface, you must configure 1-to-1 NAT in the branch office VPN gateway and tunnel settings. For more information, go to Configure 1-to-1 NAT Through a Branch Office VPN Tunnel.
Video Tutorial: Getting Started with NAT.