Zyxel Firewall Network Address Translation [NAT] - Configure 1:1 NAT and Many 1:1 NAT on Zyxel Firewall USGFLEX/ATP/VPN

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

Network Address Translation (NAT) is a fundamental technology in networking that allows for the mapping of private IP addresses to public IP addresses. One specific type of NAT is 1:1 NAT, also known as static NAT. This method maps a single private IP address to a single public IP address, ensuring that each private address has a unique, consistent public counterpart. Here are some real-life scenarios where 1:1 NAT is particularly useful:

Understanding 1:1 NAT: Real-Life Applications 

1:1 NAT, or static NAT, maps a single private IP address to a single public IP address. Here are some real-life applications:

  1. Hosting Servers: Web and email servers in private networks need public access. 1:1 NAT maps private IPs to public IPs, ensuring seamless access.
  2. Remote Access: Employees can access internal resources like Remote Desktop and VPN servers via public IPs mapped to their private counterparts.
  3. DMZ Configuration: External-facing services in DMZs use 1:1 NAT for public accessibility while protecting internal networks.
  4. Network Migrations: During IP scheme transitions, 1:1 NAT maintains service accessibility.
  5. Device Security: Critical devices use 1:1 NAT for secure management access without exposing private IPs.

Configure NAT 1:1 

Virtual server is most commonly used and is used when you want to make the internal server available to a public network outside the Zyxel Device. On the video at the link you can see how the configuration is performed on the previous version of the firewall. The interface is different, but the configuration process has not changed much.

Create NAT 1 to 1 rule
  • Login to the device WebGui
  • Navigate to
Configuration > Network > NAT
  • Create a new rule by clicking on the "Add" button
  • Specify rule name
  • Select the port mapping type to "NAT 1:1"

Mapping rule for 1:1 NAT

Incoming interface - the interface that the traffic is coming from

Source IP - From where the users are connecting from (e.g. trusted IPs) External IP - the IP Address of your WAN / outgoing interface of your firewall Internal IP - The IP address of the server where you want to forward the ports to

  • Select your incoming interface to "wan"
  • Source IP to "any"

It is possible to manually specify the external and internal IP addresses. However, we strongly advise utilizing objects for this purpose. Furthermore, when creating additional security policies, this approach will be necessary. Creating objects for NAT rules simplifies management, improves readability, reduces complexity, enhances policy enforcement, allows reuse and scalability, simplifies backups and rollbacks, and minimizes errors.

To create an object for the external and internal interface, please select the option "Create new object" located in the upper left corner of the same form.

Create two “Address” objects with the type "Interface IP" and “Host” give a clear name to the object and specify in one object the address of your external interface and in the second rule the local address of your Web Server.

Port Mapping Type

any -all traffic on will be forwarded

Service - Select a service-object (a protocol) Service-Group - Select a service-group object (a group of protocols) Port- Select a port that needs to be forwarded

Ports- Select a port range that needs to be forwarded

  • External and Internal IP, select the previously created objects

  • Port mapping Type specify “Port"

  • Protocol Typ to "any"

  • External and Internal ports in our example are the same

Note:

  • The external port is the port that the external user is using to get to the firewall on WAN
  • The internal port is the port that is forwarded internally on LAN
  • This can both be a 1:1 translation (port 80 to 80) or port 80 to 8080 for example

NAT loopback

NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)

 

Add a Firewall rule to allow the NAT 1 to 1

  • Navigate to
Configuration > Security Policy > Policy Control

  • Create a new rule by clicking on the "Add" button

  • Specify rule name

  • In the “From” field, set "WAN"

  • In the “To” field, set " "LAN"

  • In the “Destination” field, select a previously created "WebServer" object

  • Select your preferred Service or Service Group.  In this case HTTP_8080 is selected.
  • Set "Action" to allow.
  • Click the OK button.

 

Configure Many 1:1 NAT

The Many 1:1 NAT feature is used to forward all traffic from multiple external IP addresses (public IPs) to multiple internal IP addresses (private IPs) within a specified range. It's important to note that this function forwards all ports; port selection is not available in the Many 1:1 NAT configuration.

Note! The private and public ranges must have the same number of IP addresses.

Create the Many 1:1 NAT rule

  • Login to the device WebGui
  • Navigate to
Configuration > Network > NAT
  • Create a new rule by clicking on the "Add" button
  • Specify rule name
  • Select the port mapping type to "NAT 1:1"

 

Mapping Rule for Many 1:1 NAT

  • Incoming interface - the interface that the traffic is coming from (usually wan1 (or wan1_PPPoE))
  • Source IP - From where the users are connecting from (e.g. trusted IPs)
  • External IP Subnet/Range - the range of IP addresses of your WAN / outgoing interface of your firewall (Only Ranges and Subnets allowed - not host objects)
  • Internal IP Subnet/Range - The IP addresses of the server where you want to forward the public IP addresses to
  • Port Mapping Type
  • any -all traffic on will be forwarded (note that the Many 1:1 NAT function will only forward "ALL traffic"
  • NAT Loopback - NAT loopback enables users to connect to the public IPs when they are behind the firewall.

Create Policy Control Rule

As the final step, we need to create a Policy Control rule to allow traffic to pass through to the server.

Follow these steps:

Go to the Configuration > Security Policy > Policy Control
  • Press the "Add" button to insert a new rule.
  • Provide a name for the Policy Control rule.
  • Set From  "WAN"  to "LAN".
  • Insert your server's IP address object as the "Destination".
  • Select your preferred "Service" or "Service Group". In this case, select "HTTP_8080".
  • Set "Action" to "allow".
  • Click the "OK" button to save the rule.

Articles in this section

See more
Was this article helpful?
15 out of 30 found this helpful
Share