Zyxel Firewall [NAT] - how to configure NAT 1 to 1 (Network Address Translation ) on the Zyxel USG Flex H Series firewall

This guide demonstrates how to use the USG FLEX H series to configure secure access to an internal server behind the USG FLEX H using Network Address Translation (NAT). Internet users can reach this server directly via its public IP address, and a NAT mapping rule

1:1 NAT (Network Address Translation) is a networking technique that directly maps one external public IP address to one internal private IP address. This method ensures compatibility with certain applications and implements precise IP-based access control.

In this article, you will find detailed explanations of how 1:1 NAT works and its benefits. Real-world examples illustrate its practical applications, such as hosting web servers, enabling remote desktop services, setting up VPN connections, and supporting gaming servers. Each example demonstrates how 1:1 NAT can simplify network management and enhance security by allowing direct access to internal resources. Whether you are an IT professional or a network administrator, this article will provide valuable insights into effectively utilizing 1:1 NAT in various scenarios.

Key Features of 1:1 NAT:

  • Direct Mapping: Connects a public IP to a private IP.
  • Specific Use Cases: Ideal for situations where a direct link between an external and internal IP is needed.
  • Source Network Address Translation (SNAT): Changes the source IP of outgoing traffic to the public IP.

When to Use 1:1 NAT with Real-World Examples:

  1. Hosting Servers:

    • Web Server: If your organization has a web server with a private IP of, you can map it to a public IP like External users can access your website using the public IP, while the server remains on the private network.
    • Mail Server: A mail server with a private IP of can be mapped to a public IP of This allows users to send and receive emails using the public IP address.
    • FTP Server: An FTP server with a private IP of can be accessed via a public IP of, enabling external users to upload and download files.
  2. Application Compatibility:

    • VoIP System: Some VoIP systems require static, public IP addresses for reliable communication. For instance, a VoIP server with a private IP of can be mapped to a public IP of to ensure smooth voice communication.
    • Online Gaming Server: An online gaming server with a private IP of can be given a public IP of to allow gamers worldwide to connect using a consistent IP address.
  3. IP-based Access Control:

    • Security Cameras: An organization might use 1:1 NAT to allow remote access to security cameras. A camera system with a private IP of can be mapped to a public IP of, enabling remote monitoring while applying specific access rules.
    • Building Access Systems: For systems controlling building access, such as card readers, a device with a private IP of can be mapped to a public IP of This allows administrators to manage access remotely while maintaining secure access policies.

In summary, 1:1 NAT is useful for directly mapping external public IPs to internal private IPs, ensuring compatibility for certain applications, and implementing IP-based access control. These real-world examples demonstrate how various servers and systems can benefit from 1:1 NAT.

In this example, we will configure access to Mail Server from the WAN using Public IP

Set Up the NAT on the USG FLEX H
 Configuration > Network > NAT and create a new rule by clicking on the "Add" button

Then you can fill in all required fields.

  • Enable NAT rule
  • Give a name that captures the essence of the rule
  • Select the port mapping type to "1:1 NAT"
  • Incoming interface to WAN
  • Source IP to Any
  • External IP - use your external IP
  • Internal IP - specify the ip address to which access is required
  • Port Mapping Type - it depends on what you're doing (Any - all traffic will be forwarded, Service - Select a service-object (a protocol), Service-Group - Select a service-group object (a group of protocols), Port- Select a port that needs to be forwarded, Ports- Select a port range that needs to be forwarded) 
  • Enable NAT loopback
  • Apply all changes

NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)

Set Up the Security Policy on the USG FLEX H

In this example, we will configure access to our WebServer from the WAN

Security Policy > Policy Control and create a new rule by clicking on the "Add" button 

Then you can fill in all required fields.

  • Enable policy
  • Give a name that captures the essence of the rule
  • From - WAN
  • To - LAN
  • Source - Any
  • Destination - lan subnet where your server is (LAN_SUBNET_GE3 in this example) or select the object created in the previous step
  • Service - HTTPS
  • User - Any
  • Action - allow
  • Apply all changes


Troubleshooting 1:1 NAT Configuration

  • Verify NAT Rules: Double-check that the 1:1 NAT rules are correctly configured, ensuring that the internal IP address of your mail server is properly mapped to the correct public IP address.

  • Firewall Rules: Ensure that the firewall rules are set to allow traffic on the necessary ports (e.g., port 443 for HTTPS).

  • Logs and Diagnostics: Regularly monitor the firewall logs and use diagnostic tools to check the flow of traffic. This can help identify and resolve issues quickly.

  • Ensure that all public IP addresses are correctly routed. To verify this, assign each public IP address to the USG FLEX H Series WAN port individually.

  • Test internet access using each public IP address to confirm it is functioning correctly.

  • Contact your ISP to ensure that routing for your public IP addresses is properly configured and active.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.