One-to-One NAT Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Forwarding rules

Direct IP Address Mapping

One-to-one NAT rules configuration in Meraki appliances provides direct mapping between public and private IP addresses, enabling complete bidirectional communication for specific hosts or services. This functionality creates a transparent network address translation where a dedicated public IP address is permanently associated with an internal IP address, allowing external clients to access internal resources as if they were directly connected to the internet. One-to-one NAT is essential for hosting services that require consistent external IP addresses, supporting legacy applications that embed IP addresses, and providing simplified external access to internal systems while maintaining granular access control through port and protocol restrictions.

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory	Default Value
one_to_one_nat_rules	List	`[one_to_one_nat_rules]`	No

one_to_one_nat_rules (meraki.domains.organizations.networks.appliance.firewall)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `127`	No
public_ip	IP		No
lan_ip	IP		Yes
uplink	String	Regex: `^internet\d+$`	No
allowed_inbound	List	`[allowed_inbound]`	No

allowed_inbound (meraki.domains.organizations.networks.appliance.firewall.one_to_one_nat_rules)

Name	Type	Constraint	Mandatory	Default Value
protocol	Choice	`any`, `icmp-ping`, `tcp`, `udp`	No
destination_ports	List	Any[Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
allowed_ips	List	Any[IP or String[matches: `[Aa]ny`]]	No

Examples

Example-1: The example below demonstrates one-to-one NAT rules configuration.

This configuration implements direct IP address mapping between public and private networks. The example includes static NAT mappings, bidirectional traffic rules, and IP address translations for dedicated server access and network integration.

The first rule “NAT 1” creates a direct mapping between “public_ip: 203.0.113.2” and “lan_ip: 192.168.128.200” through “uplink: internet1”, enabling external clients to access an internal web server as if it had a public IP address, with “allowed_inbound” restricting access to “protocol: tcp” on “destination_ports: 443” (HTTPS) from specific trusted networks “10.82.112.0/24” and “10.82.0.0/16”, commonly used for secure web applications requiring consistent external IP addressing.

The second rule “NAT 2” maps “public_ip: 203.0.113.3” to “lan_ip: 192.168.128.201” for database server access, allowing inbound connections on “destination_ports: 3306” (MySQL) and “5432” (PostgreSQL) with “allowed_ips” restricted to trusted database clients defined by environmental variable “trusted_db_clients”, enabling secure remote database access for distributed applications.

Both rules provide complete bidirectional communication where outbound traffic from the internal servers automatically uses the mapped public IP as the source address, ensuring proper return traffic routing and maintaining session consistency. This configuration is essential for applications that require static external IP addresses, such as API services that whitelist specific IPs, legacy applications that embed IP addresses in protocols, or services requiring simplified external access without complex port forwarding configurations.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  one_to_one_nat_rules:
                    - name: "NAT 1"
                      public_ip: "203.0.113.2"
                      lan_ip: "192.168.128.200"
                      uplink: internet1
                      allowed_inbound:
                        - protocol: tcp
                          destination_ports:
                            - 443
                          allowed_ips:
                            - "10.82.112.0/24"
                            - "10.82.0.0/16"
                    - name: "NAT 2"
                      public_ip: "203.0.113.3"
                      lan_ip: "192.168.128.201"
                      uplink: internet1
                      allowed_inbound:
                        - protocol: tcp
                          destination_ports:
                            - 1433
                          allowed_ips:
                            - "10.82.112.0/24"
                            - "10.82.0.0/16"
                    - name: "NAT 3"
                      public_ip: "203.0.113.4"
                      lan_ip: "192.168.128.201"
                      uplink: internet1
                      allowed_inbound:
                        - protocol: tcp
                          destination_ports:
                            - 22
                          allowed_ips:
                            - "10.82.112.0/24"
                            - "10.82.0.0/16"