1:1 NAT maps an internal IP to external IP, generally mapping a public IP address to a private IP address and vice versa. When you assign a 1:1 NAT mapping, any traffic coming from that host to the Internet will be NAT'ed to the defined external IP, and any traffic coming into the external IP will be NAT'ed and passed to the internal IP if firewall rules permit. (by default, the firewall rules do not allow any inbound traffic to 1:1 NAT mappings)
You can also map entire subnets with one entry.
You can also use this on optional networks, but that is not a common use of this functionality.
Go to the Firewall -> NAT screen and click the 1:1 tab. Click the to add a new entry.
The external subnet will be set to the IP address or subnet you wish to map. Usually this will be a single IP address (and hence a /32 mask). If you have, for example, a full class C public subnet and your LAN or DMZ is a full class C subnet and you want to 1:1 NAT everything to its own public IP, you need to enter your entire public IP subnet here.
In most cases this will be a single IP address on either your LAN or an optional interface like a DMZ. Or in the case of 1:1 NAT'ing an entire subnet, enter the subnet address here. The mask given in the External subnet is used, as they must be identical.
After verifying your entries, click Save and Apply changes.