1:1 NAT Translation on the MX Security Appliance maps specific public IP address to an internal IP address. This is useful when internal servers need to be accessed by external clients using multiple public IP addresses. This article briefly describes example configurations, considerations, and best practices for 1:1 NAT translation.
Note: Though similar, 1:1 NAT is different from port forwarding. For more information, refer to our documentation on 1:1 NAT vs. Port forwarding.
A basic but insecure 1:1 NAT configuration can be set up to forward all traffic to the internal client. This should be configured when a 1:1 NAT needs to be made on a quick notice, but is not recommended due to security reasons. When all ports are forwarded to a client, attackers using a port scanner can target vulnerable services or gain access to the internal server.
Figure 1. Example of insecure 1:1 NAT configuration
Figure 2. Illustrating an insecure 1:1 NAT configuration
A more advanced configuration should include multiple rules and utilize a secondary uplink to provide redundancy for the web server. If one of the uplinks goes down, the secondary uplink is still in place to provide remote connectivity to the internal server. 1:1 NAT rules should also be configured to restrict specific remote IP addresses access to specific services such as RDP.
Figure 3. Example of a secure 1:1 NAT configuration
Figure 4. Illustrating an example secure 1:1 NAT configuration
When a 1:1 NAT rule is configured for a given LAN IP, that device's outbound traffic will be mapped to the public IP configured in the 1:1 NAT rule, rather than the primary WAN IP of the MX. Exceptions may occur when the MX is running some content filtering features that involve its web proxy. In this circumstance, outbound web traffic initiated by the 1:1 NAT LAN device will use the primary uplink as normal.
In some cases, 1:1 NAT translation will not work properly immediately after installing a new MX or when using Link aggregation. Special considerations should be taken when configuring 1:1 NAT rules with Uplink preferences and multiple public IP addresses.