Servers behind a firewall often need to be accessible from the Internet. You can accomplish this by implementing Port Forwarding, 1:1 NAT (Network Address Translation), or 1:Many NAT on the MX Security Appliance. This article discusses when it is appropriate to configure each one and their limitations.
Port forwarding takes specific TCP or UDP ports destined to an Internet interface of the MX Security Appliance and forwards them to specific internal IPs. This is best for users that do not own a pool of public IP addresses. This feature can forward different ports to different internal IP addresses, allowing multiple servers to be accessible from the same public IP address.
When mapping ports, keep in mind:
- Ports can be listed individually, or as a range
- Port ranges must be hyphenated. A comma-separated list is not accepted.
- When mapping a range of public ports to a range of local ports, the ranges must be the same length. (ie, 8000-8500 public must be mapped to 8000-8500 local)
Please note that it is not possible to forward a single TCP or UDP port to multiple LAN devices.
1:1 NAT is for users with multiple public IP addresses available for use and for networks with multiple servers behind an firewall such as two web servers and two mail servers. A 1:1 NAT mapping can only be configured with IP addresses that do not belong to the MX Security Appliance. It can also translate public IP addresses in different subnets than WAN interface address if the ISP routes traffic for the subnet towards the MX interface. Each translation added is a one to one rule, which means traffic destined to the public IP address can only go to one internal IP address. Within each translation, a user can specify which ports will be forwarded to the internal IP. When adding ports for NAT, a range or comma separated list of ports are both acceptable.
A 1:Many NAT configuration allows an MX to forward traffic from a configured public IP to internal servers. However, unlike a 1:1 NAT rule, 1:Many NAT allows a single public IP to translate to multiple internal IPs, on different ports. For each 1:Many IP definition, a single public IP must be specified, then multiple port forwarding rules can be configured to forward traffic to different devices on the LAN on a per-port basis. As with 1:1 NAT, a 1:Many NAT definition cannot use an IP address that belongs to the MX.
For information on troubleshooting issues with Port Forwarding and NAT Rules, please refer to this article.