Using Multi-NAT


NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and "unmaps" the global IP addresses on incoming packets back into local IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them accessible to the outside world. If you do not define any servers, NAT offers the additional benefit of firewall protection. In such case, all incoming connections to your network will be filtered out by the ZyWALL, thus preventing intruders from probing your network.

The SUA feature that the ZyWALL supports previously operates by mapping the private IP addresses to a global IP address. It is only one subset of the NAT. The ZyWALL supports the most of the features of the NAT based on RFC 1631, and we call this feature as 'Multi-NAT'. For more information on IP address translation, please refer to RFC 1631, The IP Network Address Translator (NAT).

If we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), see the following figure. The term 'inside' refers to the set of networks that are subject to translation. NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers) and then forwards each packet to the Internet ISP, thus making them appear as if they had come from the NAT system itself (e.g., the ZyWALL router). The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored.

nat.gif (9853 bytes)

NAT supports five types of IP/port mapping. They are:

  1. One to One

In One-to-One mode, the ZyWALL maps one ILA to one IGA.

  1. Many to One

In Many-to-One mode, the ZyWALL maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).

  1. Many to Many Overload

In Many-to-Many Overload mode, the ZyWALL maps the multiple ILA to shared IGA.

  1. Many One to One

In Many One to One, the ZyWALL maps each ILA to unique IGA.

  1. Server

In Server mode, the ZyWALL maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode.

The following table summarizes these types. 

NAT Type IP Mapping
One-to-One ILA1<--->IGA1
Many-to-One (SUA/PAT) ILA1<--->IGA1 
Many-to-Many Overload ILA1<--->IGA1 
Many One-to-One ILA1<--->IGA1 
Server Server 1 IP<--->IGA1
Server 2 IP<--->IGA1

SUA (Single User Account), if you get only one public IP address from your ISP, then you should use SUA. With SUA, PCs on ZyWALL's LAN side can access Internet without further configuration. If you have internal servers to be accessed by remote users on Internet, you need to go to ADVANCED -> SUA/NAT -> SUA Server to setup which service, or port numbers, you would like to forward to which Internal server.

Multi-NAT, if you get multiple public IP addresses from your ISP, then you may use Multi-NAT. With Multi-NAT, you can choose different types of NAT mapping methods to utilize the public IP addresses. You should define each NAT mapping rules clearly in ADVANCED -> SUA/NAT -> Address Mapping, so that internal PCs can access Internet and internal servers can be accessed by remote uses on Internet.

Step 1. Applying NAT in WAN Interface

You can choose the NAT mapping types to either SUA Only or Full Feature in WAN setup.

Key Settings 

Field Options Description
Network Address Translation Full Feature Set to 'Full Feature' if there are multiple IP addresses given by ISP and can assigned to your clients. 
Routing Set to 'Routring' if you clients use Internet IP addresses and thus do not need NAT function. 
SUA Only Set this field to 'SUA Only' if you want all clients share one IP to Internet. 

Step 2. Configuring NAT Address Mapping

To configure NAT, go to ADVANCED -> SUA/NAT -> Address Mapping

Step 3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types)

nat3.gif (14193 bytes)

In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules.

Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 ( to IGA1 (  

Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 ( to IGA2 (  

Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3.  

Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 ( to IGA3.  

When we have configured all four rules in the rule summary page.

Now we configure all other incoming traffic to go to our web server and mail server in "SUA Server" page,

Please note that if you turn on ZyWALL's firewall function, then you should add a firewall rule from WAN to LAN to forward the  incoming connections. If you would like to only allow traffic going to the internal server, you should specify server's private IP address in the field of the destination IP address.


Support Non NAT Friendly Applications

Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many One-to-One or One-to-One NAT mapping types, thus each user login to the server is using a unique global IP address. The following figure illustrates this.

nat4.gif (13949 bytes)

One rule configured for using Many One-to-One mapping type is shown below. 

The three rules configured for using One-to-One mapping type is shown below.  

All contents copyright (c) 2003 ZyXEL Communications Corporation.