Home > Security Appliances > NAT and Port Forwarding > Configuring 1:1 NAT

Configuring 1:1 NAT

1:1 NAT Translation on the MX Security Appliance maps specific public IP address to an internal IP address. This is useful when internal servers need to be accessed by external clients using multiple public IP addresses. This article briefly describes example configurations, considerations, and best practices for 1:1 NAT translation.

Note: Though similar, 1:1 NAT is different from port forwarding. For more information, refer to our documentation on 1:1 NAT vs. Port forwarding.

Basic Configuration

A basic but insecure 1:1 NAT configuration can be set up to forward all traffic to the internal client. This should be configured when a 1:1 NAT needs to be made on a quick notice, but is not recommended due to security reasons. When all ports are forwarded to a client, attackers using a port scanner can target vulnerable services or gain access to the internal server.

 

Figure 1. Example of insecure 1:1 NAT configuration

f189a6e7-cd09-455e-910f-5d907af1574e

 

Figure 2. Illustrating an insecure 1:1 NAT configuration

b767c265-9ae2-449e-92db-9584c4366a6a

Detailed Configuration

A more advanced configuration should include multiple rules and utilize a secondary uplink to provide redundancy for the web server. If one of the uplinks goes down, the secondary uplink is still in place to provide remote connectivity to the internal server. 1:1 NAT rules should also be configured to restrict specific remote IP addresses access to specific services such as RDP. 

 

Figure 3. Example of a secure 1:1 NAT configuration

60fa5a60-acd5-4443-8642-f773c49ecf8b

 

Figure 4. Illustrating an example secure 1:1 NAT configuration

baf1a7cb-851f-4603-b875-273e305ce696

Additional Considerations

When a 1:1 NAT rule is configured for a given LAN IP, that device's outbound traffic will be mapped to the public IP configured in the 1:1 NAT rule, rather than the primary WAN IP of the MX. Exceptions may occur when the MX is running some content filtering features that involve its web proxy. In this circumstance, outbound web traffic initiated by the 1:1 NAT LAN device will use the primary uplink as normal.

In some cases, 1:1 NAT translation will not work properly immediately after installing a new MX or when using Link aggregation. Special considerations should be taken when configuring 1:1 NAT rules with Uplink preferences and multiple public IP addresses.

You must to post a comment.
Last modified
17:48, 12 Aug 2016

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community