Skip to content

One-to-One NAT Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Forwarding rules

One-to-one NAT rules configuration in Meraki appliances provides direct mapping between public and private IP addresses, enabling complete bidirectional communication for specific hosts or services. This functionality creates a transparent network address translation where a dedicated public IP address is permanently associated with an internal IP address, allowing external clients to access internal resources as if they were directly connected to the internet. One-to-one NAT is essential for hosting services that require consistent external IP addresses, supporting legacy applications that embed IP addresses, and providing simplified external access to internal systems while maintaining granular access control through port and protocol restrictions.

Diagram

firewall (meraki.domains.organizations.networks.appliance)

Section titled “firewall (meraki.domains.organizations.networks.appliance)”
NameTypeConstraintMandatoryDefault Value
one_to_one_nat_rulesList[one_to_one_nat_rules]No

one_to_one_nat_rules (meraki.domains.organizations.networks.appliance.firewall)

Section titled “one_to_one_nat_rules (meraki.domains.organizations.networks.appliance.firewall)”
NameTypeConstraintMandatoryDefault Value
nameStringmin: 1, max: 127No
public_ipIPNo
lan_ipIPYes
uplinkStringRegex: ^internet\d+$No
allowed_inboundList[allowed_inbound]No

allowed_inbound (meraki.domains.organizations.networks.appliance.firewall.one_to_one_nat_rules)

Section titled “allowed_inbound (meraki.domains.organizations.networks.appliance.firewall.one_to_one_nat_rules)”
NameTypeConstraintMandatoryDefault Value
protocolChoiceany, icmp-ping, tcp, udpNo
destination_portsListAny[Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
allowed_ipsListAny[IP or String[matches: [Aa]ny]]No

Example-1: The example below demonstrates one-to-one NAT rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
networks:
- name: "!env network_name"
product_types:
- appliance
- switch
- wireless
- camera
- sensor
- cellularGateway
appliance:
firewall:
one_to_one_nat_rules:
- name: "NAT 1"
public_ip: "203.0.113.2"
lan_ip: "192.168.128.200"
uplink: internet1
allowed_inbound:
- protocol: tcp
destination_ports:
- 443
allowed_ips:
- "10.82.112.0/24"
- "10.82.0.0/16"
- name: "NAT 2"
public_ip: "203.0.113.3"
lan_ip: "192.168.128.201"
uplink: internet1
allowed_inbound:
- protocol: tcp
destination_ports:
- "3306"
- "5432"
allowed_ips:
- "!env trusted_db_clients"