Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
Focus
Focus

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Table of Contents
End-of-Life (EoL)

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

If you want to use IP address pools for source NAT in Active/Active HA Mode, each firewall must have its own pool, which you then bind to a Device ID in a NAT rule.
Address objects and NAT rules are synchronized (in both active/passive and active/active mode), so they need to be configured on only one of the firewalls in the HA pair.
This example configures an address object named Dyn-IP-Pool-dev0 containing the IP address pool 10.1.1.140-10.1.1.150. It also configures an address object named Dyn-IP-Pool-dev1 containing the IP address pool 10.1.1.160-10.1.1.170. The first address object is bound to Device ID 0; the second address object is bound to Device ID 1.
  1. On one HA firewall, create address objects.
    1. Select
      Objects
      Addresses
      and
      Add
      an address object
      Name
      , in this example, Dyn-IP-Pool-dev0.
    2. For
      Type
      , select
      IP Range
      and enter the range 10.1.1.140-10.1.1.150.
    3. Click
      OK
      .
    4. Repeat this step to configure another address object named Dyn-IP-Pool-dev1 with the
      IP Range
      of 10.1.1.160-10.1.1.170.
  2. Create the source NAT rule for Device ID 0.
    1. Select
      Policies
      NAT
      and
      Add
      a NAT policy rule with a
      Name
      , for example, Src-NAT-dev0.
    2. For
      Original Packet
      , for
      Source Zone
      , select
      Any
      .
    3. For
      Destination Zone
      , select the destination zone for which you want to translate the source address, such as Untrust.
    4. For
      Translated Packet
      , for
      Translation Type
      , select
      Dynamic IP and Port
      .
    5. For
      Translated Address
      ,
      Add
      the address object you created for the pool of addresses belonging to Device ID 0: Dyn-IP-Pool-dev0.
    6. For
      Active/Active HA Binding
      , select
      0
      to bind the NAT rule to Device ID 0.
    7. Click
      OK
      .
  3. Create the source NAT rule for Device ID 1.
    1. Select
      Policies
      NAT
      and
      Add
      a NAT policy rule with a
      Name
      , for example, Src-NAT-dev1.
    2. For
      Original Packet
      , for
      Source Zone
      , select
      Any
      .
    3. For
      Destination Zone
      , select the destination zone for which you want to translate the source address, such as Untrust.
    4. For
      Translated Packet
      , for
      Translation Type
      , select
      Dynamic IP and Port
      .
    5. For
      Translated Address
      ,
      Add
      the address object you created for the pool of addresses belonging to Device ID 1: Dyn-IP-Pool-dev1.
    6. For
      Active/Active HA Binding
      , select
      1
      to bind the NAT rule to Device ID 1.
    7. Click
      OK
      .
  4. Commit
    the configuration.

Recommended For You