Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward. Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule. That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria. LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.
Consider the following:
Host A <--WAN--> MX100 <-LAN--> Host B
MX WAN 1.1.1.1
MX 1:Many Public 1.1.1.2
If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound.
That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A.
Comments