User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500

171

172

173

174

175

176

177

178

179

180

User Guide 167

Traffic Management

Company ABC selects five public IP addresses from the same network address as the external interface of their

Firebox, and creates DNS records for the email servers to resolve to. These addresses are:

50.1.1.1

50.1.1.2

50.1.1.3

50.1.1.4

50.1.1.5

Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bi-

directional relationship between the corresponding pairs of IP addresses. The relationship looks like this:

10.1.1.1 <--> 50.1.1.1

10.1.1.2 <--> 50.1.1.2

10.1.1.3 <--> 50.1.1.3

10.1.1.4 <--> 50.1.1.4

10.1.1.5 <--> 50.1.1.5

When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship

between the pool of private IP addresses and the pool of public addresses.

About 1-to-1 NAT and VPNs

When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network

address ranges.You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that use

the same private network address. If the network range on the remote network is the same as on the local

network, you can configure both gateways to use 1-to-1 NAT. Then, you can create the VPN tunnel and not

change the IP addresses of one side of the tunnel. 1-to-1 NAT for a VPN tunnel is configured when you

configure the VPN tunnel and not in the Network > NAT dialog box.

Enable 1-to-1-NAT

You can assign a maximum of eight secondary IP addresses. When you configure a secondary IP addresses on

the external network:

 The primary IP address must be a static IP address.

 All secondary IP addresses must be on the same external subnet as the primary IP address.

 You cannot configure multiple IP addresses for the WAN2 failover interface. The WAN2 interface is

reserved for WAN failover. Your failover IP address must be on a different subnet.

Three steps are necessary to enable 1-to-1 NAT:

 Add at least one secondary external IP address to the Firebox.

A secondary external IP address is a public IP address on the external interface that also has an IP address on the

trusted or optional (private) network. You must have at least one secondary external IP address to enable 1-to-1

NAT.

 Configure a custom policy for 1-to-1 NAT.

You can use an existing policy or you can add a custom policy that defines the kinds of network traffic that can be

sent or received by the device that uses the secondary external IP address.

 Enable the secondary IP addresses on the Firebox