1:1 NAT versus Port Forwarding
Posted: 22 May 2015 03:08 PM

Servers behind a firewall often need to be accessible from the Internet.  You can accomplish this by implementing Port Forwarding or 1:1 NAT (Network Address Translation) on the MX Security Appliance.  This article discusses when it is appropriate to configure each one and their limitations.

Port Forwarding

Port forwarding takes specific TCP or UDP ports destined to an Internet interface of the MX Security Appliance and forwards them to specific internal IPs.  This is best for users that do not own a pool of public IP addresses.  This feature can forward different ports to different internal IP addresses, allowing multiple servers to be accessible from the same public IP address.  

Port forwarding does not support forwarding a single port to multiple internal IP addresses.  For example, you cannot forward TCP port 80 to two different IP addresses behind an appliance.  The only workaround would be to have a unique public port, which is then translated to local port 80.  However, when using a unique port for certain services may not be acceptable, 1:1 NAT becomes necessary.  For other port forwarding caveats please read the following article: Port Forwarding Caveats

1:1 NAT

1:1 NAT is for users with multiple public IP addresses available for use and for networks with multiple servers behind an firewall such as two web servers and two mail servers. A 1:1 NAT mapping can only be configured with IP addresses that do not belong to the MX Security Appliance. It can also translate public IP addresses in different subnets than WAN interface address if the ISP routes traffic for the subnet towards the MX interface.  Each translation added is a one to one rule, which means traffic destined to the public IP address can only go to one internal IP address. Within each translation, a user can specify which ports will be forwarded to the internal IP. 

(3 vote(s))
Not helpful