1:1 NAT (pronounced “one-to-one NAT”) maps one external IPv4 address (usually public) to one internal IPv4 address (usually private). All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration. All traffic initiated on the Internet destined for the specified public IPv4 address on the mapping will be translated to the private IPv4 address, then evaluated against the WAN firewall ruleset. If matching traffic is permitted by the firewall rules to a target of the private IPv4 address, it will be passed to the internal host.
1:1 NAT can also translate whole subnets as well as single addresses, provided they are of the same size and align on proper subnet boundaries.
The ports on a connection remain constant with 1:1 NAT; For outbound connections, the source ports used by the local system are preserved, similar to using Static Port on outbound NAT rules.
Risks of 1:1 NAT¶
The risks of 1:1 NAT are largely the same as port forwards, if WAN firewall rules permit traffic. Any time rules permit traffic, potentially harmful traffic may be admitted into the local network. There is a slight added risk when using 1:1 NAT in that firewall rule mistakes can have more dire consequences. With port forward entries, traffic is limited by constraints within the NAT rule and the firewall rule. If TCP port 80 is opened by a port forward rule, then an allow all rule on WAN would still only permit TCP 80 on that internal host. If 1:1 NAT rules are in place and an allow all rule exists on WAN, everything on that internal host will be accessible from the Internet. Misconfigurations are always a potential hazard, and this usually should not be considered a reason to avoid 1:1 NAT. Keep this fact in mind when configuring firewall rules, and as always, avoid permitting anything that is not required.
Configuring 1:1 NAT¶
To configure 1:1 NAT:
- Add a Virtual IP for the public IP address to be used for the 1:1 NAT entry as described in Virtual IP Addresses
- Navigate to Firewall > NAT, 1:1 tab
- Click Add to create a new 1:1 entry at the top of the list
- Configure the 1:1 NAT entry as follows:
Disabled: Controls whether this 1:1 NAT entry is active. Interface: The interface where the 1:1 NAT translation will take place, typically a WAN type interface. External subnet IP: The IPv4 address to which the Internal IP address will be translated as it enters or leaves the Interface. This is typically an IPv4 Virtual IP address on Interface, or an IP address routed to the firewall via Interface. Internal IP: The IPv4 address behind the firewall that will be translated to the External subnet IP address. This is typically an IPv4 address behind this firewall. The device with this address must use this firewall as its gateway directly (attached) or indirectly (via static route). Specifying a subnet mask here will translate the entire network matching the subnet mask. For example using
x.x.x.0/24will translate anything in that subnet to its equivalent in the external subnet.
Destination: Optional, a network restriction that limits the 1:1 NAT entry. When a value is present, the 1:1 NAT will only take effect when traffic is going from the Internal IP address to the Destination address on the way out, or from the Destination address to the External subnet IP address on the way into the firewall. The Destination field supports the use of aliases. Description: An optional text description to explain the purpose of this entry. NAT reflection: An override for the global NAT reflection options. Use system default will respect the global NAT reflection settings, enable will always perform NAT reflection for this entry, and disable will never do NAT reflection for this entry. For more information on NAT Reflection, see NAT Reflection.
- Click Save
- Click Apply Changes
Example Single IP Address 1:1 Configuration¶
This section demonstrates how to configure a 1:1 NAT entry with a single
internal and external IP address. In this example,
198.51.100.210 is a
Virtual IP address on the WAN interface. In most deployments this will be
substituted with a working public IP addresses. The mail server in this mapping
resides on a DMZ segment using internal IP address
10.3.1.15. The 1:1 NAT
entry to map 198.51.100.210 to 10.3.1.15 is shown in Figure
1:1 NAT Entry.
Example IP Address Range 1:1 Configuration¶
1:1 NAT can be configured for multiple public IP addresses by using CIDR ranges. In this example, 1:1 NAT is configured for a /30 CIDR range of IPs.
See CIDR Summarization for more information on summarizing networks or groups of IP addresses inside a larger subnet using CIDR notation.
|External IP||Internal IP|
The last octet of the IP addresses need not be the same on the inside and outside, but doing so makes it logically simpler to follow. For example, Table /30 CIDR Mapping Non-Matching Final Octet is also valid.
|External IP||Internal IP|
Choosing an addressing scheme where the last octet matches makes the layout easier to understand and hence maintain. Figure 1:1 NAT entry for /30 CIDR range shows how to configure 1:1 NAT to achieve the mapping listed in Table /30 CIDR Mapping Matching Final Octet.