Watchguard Firebox X15 User Manual page 186

Traffic Management
About 1-to-1 NAT
When you enable 1-to-1 NAT, the Firebox changes and routes all incoming and outgoing packets sent from
one range of addresses to a different range of addresses. A 1-to-1 NAT rule always has precedence over
dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that must
be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You do not have to
change the IP address of your internal servers. When you have a group of similar servers (for example, a group
of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of their
Firebox. These addresses are:
10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
10.1.1.5
Company ABC selects five public IP addresses from the same network address as the external interface of their
Firebox, and creates DNS records for the email servers to resolve to.
These addresses are:
50.1.1.1
50.1.1.2
50.1.1.3
50.1.1.4
50.1.1.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bi-
directional relationship between the corresponding pairs of IP addresses. The relationship looks like this:
10.1.1.1 <--> 50.1.1.1
10.1.1.2 <--> 50.1.1.2
10.1.1.3 <--> 50.1.1.3
10.1.1.4 <--> 50.1.1.4
10.1.1.5 <--> 50.1.1.5
When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship
between the pool of private IP addresses and the pool of public addresses.
174 Firebox X Edge e-Series