Servers behind a firewall often need to be accessible from the Internet. You can accomplish this by implementing Port Forwarding, 1:1 NAT (Network Address Translation), or 1:Many NAT on the MX Security Appliance. This article discusses when it is appropriate to configure each one and their limitations.
Port forwarding takes specific TCP or UDP ports destined to an Internet interface of the MX Security Appliance and forwards them to specific internal IPs. This is best for users that do not own a pool of public IP addresses. This feature can forward different ports to different internal IP addresses, allowing multiple servers to be accessible from the same public IP address.
Please note that it is not possible to forward a single TCP or UDP port to multiple LAN devices.
1:1 NAT is for users with multiple public IP addresses available for use and for networks with multiple servers behind an firewall such as two web servers and two mail servers. A 1:1 NAT mapping can only be configured with IP addresses that do not belong to the MX Security Appliance. It can also translate public IP addresses in different subnets than WAN interface address if the ISP routes traffic for the subnet towards the MX interface. Each translation added is a one to one rule, which means traffic destined to the public IP address can only go to one internal IP address. Within each translation, a user can specify which ports will be forwarded to the internal IP.
A 1:Many NAT configuration allows an MX to forward traffic from a configured public IP to internal servers. However, unlike a 1:1 NAT rule, 1:Many NAT allows a single public IP to translate to multiple internal IPs, on different ports. For each 1:Many IP definition, a single public IP must be specified, then multiple port forwarding rules can be configured to forward traffic to different devices on the LAN on a per-port basis. As with 1:1 NAT, a 1:Many NAT definition cannot use an IP address that belongs to the MX.