Reserve Dynamic IP NAT Addresses
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Reserve Dynamic IP NAT Addresses
You can reserve Dynamic IP NAT addresses (for
a configurable period of time) to prevent them from being allocated
as translated addresses to a different source IP address that needs
translation. When configured, the reservation applies to all of
the translated Dynamic IP addresses in progress and any new translations.
For
both translations in progress and new translations, when a source
IP address is translated to an available translated IP address,
that pairing is retained even after all sessions related to that
specific source IP are expired. The reservation timer for each source
IP address begins after all sessions that use that source IP address
translation expire. Dynamic IP NAT is a one-to-one translation;
one source IP address translates to one translated IP address that
is chosen dynamically from those addresses available in the configured
pool. Therefore, a translated IP address that is reserved is not
available for any other source IP address until the reservation expires
because a new session has not started. The timer is reset each time
a new session for a source IP/translated IP mapping begins, after
a period when no sessions were active.
By default, no addresses
are reserved. You can reserve Dynamic IP NAT addresses for the firewall
or for a virtual system.
- Reserve dynamic IP NAT addresses for a firewall.Enter the following commands:admin@PA-3250#set setting nat reserve-ip yesadmin@PA-3250#set setting nat reserve-time<1-604800 secs>
- Reserve dynamic IP NAT addresses for a virtual system.Enter the following commands:admin@PA-3250#set vsys<vsysid>setting nat reserve-ip yesadmin@PA-3250#set vsys<vsysid>setting nat reserve-time<1-604800 secs>For example, suppose there is a Dynamic IP NAT pool of 30 addresses and there are 20 translations in progress when thenat reserve-timeis set to 28800 seconds (8 hours). Those 20 translations are now reserved, so that when the last session (of any application) that uses each source IP/translated IP mapping expires, the translated IP address is reserved for only that source IP address for 8 hours, in case that source IP address needs translation again. Additionally, as the 10 remaining translated addresses are allocated, they each are reserved for their source IP address, each with a timer that begins when the last session for that source IP address expires.In this manner, each source IP address can be repeatedly translated to its same NAT address from the pool; another host will not be assigned a reserved translated IP address from the pool, even if there are no active sessions for that translated address.Suppose a source IP/translated IP mapping has all of its sessions expire, and the reservation timer of 8 hours begins. After a new session for that translation begins, the timer stops, and the sessions continue until they all end, at which point the reservation timer starts again, reserving the translated address.The reservation timer remain in effect on the Dynamic IP NAT pool until you disable it by entering theset setting nat reserve-ip nocommand or you change thenat reserve-timeto a different value.The CLI commands for reservations do not affect Dynamic IP and Port (DIPP) or Static IP NAT pools.