Fortinet black logo

Handbook

Configuring 1-to-1 NAT

Configure 1-to-1 NAT

You can use 1-to-1 NAT when you want to publish public or “external” IP addresses for FortiADC resources but want the communication among servers on the internal network to be on a private or “internal” IP address range.

One-to-One NAT illustrates 1-to-1 NAT. The NAT configuration assigns both external and internal (or “mapped”) IP addresses to Interface 1. Traffic from the external side of the connection (such as client traffic) uses the external IP address and port. Traffic on the internal side (such as the virtual server communication with real servers) uses the mapped IP address and port.

1-to-1 NAT is supported for traffic to virtual servers. The address translation occurs before the ADC has processed its rules, so FortiADC server load balancing policies that match source address (such as content routing and content rewriting rules) should be based on the mapped address space.

The system maintains this NAT table and performs the inverse mapping when it sends traffic from the internal side to the external side.

One-to-One NAT

Before you begin:

  • You must know the IP addresses your organization has provisioned for your NAT design.
  • You must have Read-Write permission for System settings.
To configure one-to-one NAT:
  1. Go to Networking > NAT.
  2. Click the 1-to-1 NAT tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in 1-to-1 NAT configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

1-to-1 NAT configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
External Interface Interface that receives traffic.
External Address Range Specify the first address in the range. The last address is calculated after you enter the mapped IP range.
Mapped Address Range Specify the first and last addresses in the range.
Port Forwarding
Port Forwarding Select to enable.
Protocol
  • TCP
  • UDP
External Port Range Specify the first port number in the range. The last port number is calculated after you enter the mapped port range.
Mapped Port Range Specify the first and last port numbers in the range.
Traffic Group Select a traffic group. Otherwise, the system will use the default.
Reordering
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.

Configure 1-to-1 NAT

You can use 1-to-1 NAT when you want to publish public or “external” IP addresses for FortiADC resources but want the communication among servers on the internal network to be on a private or “internal” IP address range.

One-to-One NAT illustrates 1-to-1 NAT. The NAT configuration assigns both external and internal (or “mapped”) IP addresses to Interface 1. Traffic from the external side of the connection (such as client traffic) uses the external IP address and port. Traffic on the internal side (such as the virtual server communication with real servers) uses the mapped IP address and port.

1-to-1 NAT is supported for traffic to virtual servers. The address translation occurs before the ADC has processed its rules, so FortiADC server load balancing policies that match source address (such as content routing and content rewriting rules) should be based on the mapped address space.

The system maintains this NAT table and performs the inverse mapping when it sends traffic from the internal side to the external side.

One-to-One NAT

Before you begin:

  • You must know the IP addresses your organization has provisioned for your NAT design.
  • You must have Read-Write permission for System settings.
To configure one-to-one NAT:
  1. Go to Networking > NAT.
  2. Click the 1-to-1 NAT tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in 1-to-1 NAT configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

1-to-1 NAT configuration

Settings Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
External Interface Interface that receives traffic.
External Address Range Specify the first address in the range. The last address is calculated after you enter the mapped IP range.
Mapped Address Range Specify the first and last addresses in the range.
Port Forwarding
Port Forwarding Select to enable.
Protocol
  • TCP
  • UDP
External Port Range Specify the first port number in the range. The last port number is calculated after you enter the mapped port range.
Mapped Port Range Specify the first and last port numbers in the range.
Traffic Group Select a traffic group. Otherwise, the system will use the default.
Reordering
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.