1:1 NAT Translation on the MX Security Appliance maps specific public IP address to an internal IP address. This is useful when internal servers need to be accessed by external clients using multiple public IP addresses. This article briefly describes example configurations, considerations, and best practices for 1:1 NAT translation.
Note: Though similar, 1:1 NAT is different from port forwarding. For more information, refer to our documentation on 1:1 NAT vs. Port forwarding.
A basic but insecure 1:1 NAT configuration can be set up to forward all traffic to the internal client. This should be configured when a 1:1 NAT needs to be made on a quick notice, but is not recommended due to security reasons. When all ports are forwarded to a client, attackers using a port scanner can target vulnerable services or gain access to the internal server.
Figure 1. Example of insecure 1:1 NAT configuration
Figure 2. Illustrating an insecure 1:1 NAT configuration
A more advanced configuration should include multiple rules and utilize a secondary uplink to provide redundancy for the web server. If one of the uplinks goes down, the secondary uplink is still in place to provide remote connectivity to the internal server. 1:1 NAT rules should also be configured to restrict specific remote IP addresses access to specific services such as RDP.
Figure 3. Example of a secure 1:1 NAT configuration
Figure 4. Illustrating an example secure 1:1 NAT configuration
When a 1:1 NAT rule is configured for a given LAN IP, that device's outbound traffic will be mapped to the public IP configured in the 1:1 NAT rule, rather than the primary WAN IP of the MX. Exceptions may occur when the MX is running some content filtering features that involve its web proxy. In this circumstance, outbound web traffic initiated by the 1:1 NAT LAN device will use the primary uplink as normal.
Traffic sourced from the LAN of the MX that is destined for the public IP configured in the 1:1 NAT section will be routed to the private IP address associated with the configured mapping.
In this process the MX will accept the packet on the LAN and re-write the IPv4 header. The rewritten header will be sourced from the MX's IP/MAC, or layer 3 interface, in which the destination client resides while also being destined for the private IP/MAC of the client mapped to the 1:1 NAT.
This practice does add complexities and may also be achieved with more ease via static DNS records where applicable.
In some cases, 1:1 NAT translation will not work properly immediately after installing a new MX or when using Link aggregation. Special considerations should be taken when configuring 1:1 NAT rules with Uplink preferences and multiple public IP addresses.