circle-info
Join EnGenius at ISC West 2026 in Las Vegas for AI-powered networking and proactive security solutions.
View event detailsarrow-up-right
search
Contact SupportCloud Demo

1:1 NAT

1:1 NAT (Network Address Translation) is a method used to map one public IP address to one private IP address. It is ideal for users with multiple public IP addresses and several servers behind a firewall, such as multiple web and mail servers. This section will guide you through setting up 1:1 NAT on an EnGenius Cloud Gateway. This setup allows for efficient traffic management and provides each server with its dedicated access route.

1:1 NAT is particularly useful for networks where multiple servers need to be accessible externally without sharing a single IP address. It ensures that each server has a unique public address, which can be critical for applications that require specific IP reputation management, such as email servers.

hashtag
Example of 1:1 NAT configuration

Example of 1:1 NAT configuration

hashtag
Illustration of 1:1 NAT configuration

Illustration of 1:1 NAT configuration

hashtag
Configuring 1:1 NAT

  1. Access the Gateway Management Interface

    • Sign in to your EnGenius Cloud account. Cloud account and navigate to the 'Configure/Gateway/Firewall' section.

  2. Navigate to the 1:1 NAT Settings

    • Within the Firewall configuration page, select 1:1 NAT tab..

  3. Configure 1:1 NAT Rules

    • Choose a Public IP Address: Select a public IP address from your available pool that does not belong to the gateway’s WAN interfaces. This IP address should be routed to your gateway by your ISP, potentially from a different subnet.

    • Map to an Internal IP Address: Assign this public IP address to a specific internal IP address of a server behind your firewall.

    • Configure Port Forwarding (Optional): Within each 1:1 NAT rule, you can also specify which ports are to be forwarded to the internal IP. You may enter a range of ports or a comma-separated list of individual ports depending on your needs.

  4. Apply and Save the Configuration:

    • After setting up your 1:1 NAT rules, make sure to save and apply the changes. This will activate the mappings and start routing traffic accordingly.

  5. Test the Configuration:

    • Verify that the public IP addresses correctly redirect to their respective internal IP addresses. Test access to the services hosted on the servers, such as accessing a web server via its new public IP or sending emails from a mail server.

hashtag
Additional Considerations

hashtag
1:1 NAT and Multiple Uplinks

If the ESG primary uplink is not the same as the 1:1 NAT uplink, outbound traffic from the 1:1 NAT LAN device will, by default, egress out of the ESG primary uplink. To prevent asynchronous routing, a policy-based route can be set to ensure that traffic egresses from the same uplink configured for the 1:1 NAT.

Example:

  1. ESG primary uplink is WAN 1

  2. 1:1 NAT maps to WAN 2 Uplink

  3. You want all outbound internet traffic sourced from 1:1 NAT LAN device to use WAN 2

hashtag
1:1 NAT and WAN Load Balancing

If ESG is configured to load balance traffic across multiple WAN interfaces, outbound traffic from the 1:1 NAT LAN device will, by default, egress out of both WAN interfaces. To prevent asynchronous routing, the policy based route configuration can be created, as shown in the example above or link

hashtag
Hairpin Routing

Traffic originating from the LAN of the ESG and directed towards the public IP configured in the port forwarding/1:1 NAT section will be directed to the private IP address linked with the specified mapping.

During this process, the ESG will receive the packet on the LAN and modify the IPv4 header. The modified header will originate from the ESG's IP/MAC address or the layer 3 interface where the destination client is located. Additionally, it will be directed towards the private IP/MAC address of the client associated with the 1:1 NAT mapping.

hashtag
Example Configurations

hashtag
Basic Security Configuration

A simple yet insecure 1:1 NAT configuration may forward all traffic directly to the internal client. While this setup can be quickly implemented in urgent situations, it is not recommended due to security concerns. When all ports are indiscriminately forwarded to a client, it exposes the internal server to potential attacks. Attackers leveraging port scanning techniques can exploit vulnerabilities in services or gain unauthorized access to the internal network.

Example of basic 1:1 NAT configuration
Illustrating an basic 1:1 NAT configuration

hashtag
Advanced Security Configuration

For a more sophisticated setup (secure), multiple rules should be established, leveraging a secondary uplink to ensure redundancy for the web server. In the event of one uplink failure, the secondary connection remains operational, ensuring continued remote access to the internal server. Additionally, 1:1 NAT rules must be configured to limit access to specific services, such as RDP (TCP/UDP 3389), by restricting access to designated remote IP addresses.

Example of a advanced 1:1 NAT configuration
Illustrating an example advanced 1:1 NAT configuration
circle-info

hashtag
Best Practices for 1:1 NAT

  • Security Measures: Since each server will be exposed to the internet with its public IP, ensure robust security practices are in place, including firewalls, updated software, and intrusion detection systems.

  • IP Address Management: Keep a clear record of which public IPs are mapped to which internal IPs to avoid conflicts and to streamline troubleshooting and network management.

  • Regular Monitoring: Regularly monitor traffic and logs to ensure that the NAT mappings are functioning correctly and to detect any potential security breaches.

PreviousPort ForwardingNextBlocking Inbound Traffic

Last updated

Was this helpful?