Skip to main content

1:1 NAT

warning

Expert Function​

Swisscom recommends that this function only be configured by experienced IT specialists. Misconfigurations can lead to significant security risks, which can negatively impact both the customer installation and Swisscom's reputation.

Details can be found in the FAQ


1:1 NAT (Network Address Translation), also known as Static NAT, permanently maps an internal, private IP address to an external, public IP address. In contrast to conventional Port Forwarding (PAT), all ports and protocols are passed through transparently.

With 1:1 NAT, the mapping between the private and public address remains permanent. This is bidirectional:

  • Inbound: Traffic to the public IP is forwarded to the internal IP.
  • Outbound: Traffic from the internal host appears on the internet under the specific public IP.

Configure 1:1 NAT​

  • On the router portal under Network → Public Addresses
  • Activate the 1:1 NAT option
  • Check firewall settings. Depending on the selected mode, corresponding rules must be added.

Restrictions​

  • Not available with BNS/EC-S contract
  • Not available for contracts without Fixed IP

FAQ 1:1NAT​

What is the difference between 1:1 NAT and Port Forwarding?
  • 1:1 NAT: All ports and protocols are mirrored from a public IP to an internal IP.
  • Port Forwarding: Only specific ports (e.g., Port 80 or 443) are forwarded. In short: 1:1 NAT is a full address mapping, while Port Forwarding is a partial one.
What are the risks of 1:1 NAT?
  • Every server in the LAN is directly reachable via a public IP → higher attack surface.
  • Firewall rules must be carefully configured.
  • Incorrect configuration can expose internal systems unprotected.
Does 1:1 NAT also work with IPv6?

Generally not necessary. In IPv6, there are enough public addresses, so the NAT function is usually omitted. IPv6 relies more on direct routing and security via firewalls instead of NAT.

Can 1:1 NAT cause problems with VPN connections?

Yes, especially with IPSec VPNs, as these include IP addresses directly in the tunnel authentication. In such cases, "NAT-Traversal (NAT-T)" can help.

Can I configure multiple 1:1 NAT rules?

Yes, provided you have multiple public IPs. Each rule forms a unique pairing (one public ↔ one private IP).

Last updated on