Dynamic IP and Port NAT Oversubscription
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Dynamic IP and Port NAT Oversubscription
Dynamic IP and Port (DIPP) NAT allows you to use each
translated IP address and port pair multiple times (8, 4, or 2 times)
in concurrent sessions. This reusability of an IP address and port
(known as oversubscription) provides scalability for customers who
have too few public IP addresses. The design is based on the assumption
that hosts are connecting to different destinations, therefore sessions can
be uniquely identified and collisions are unlikely. The oversubscription
rate in effect multiplies the original size of the address/port
pool to 8, 4, or 2 times the size. For example, the default limit
of 64K concurrent sessions allowed, when multiplied by an oversubscription
rate of 8, results in 512K concurrent sessions allowed.
The oversubscription rates that are allowed vary based on the
model. The oversubscription rate is global; it applies to the firewall.
This oversubscription rate is set by default and consumes memory,
even if you have enough public IP addresses available to make oversubscription
unnecessary. You can reduce the rate from the default setting to
a lower setting or even 1 (which means no oversubscription). By configuring
a reduced rate, you decrease the number of source device translations possible,
but increase the DIP and DIPP NAT rule capacities. To change the
default rate, see Modify the Oversubscription Rate for DIPP NAT.
If you select
Platform Default
, your explicit
configuration of oversubscription is turned off and the default
oversubscription rate for the model applies. The Platform
Default
setting allows for an upgrade or downgrade of
a software release.The Product Selection tool shows
the default (maximum) DIPP pool oversubscription rate for each model.
The firewall supports a maximum of 256 translated IP addresses
per NAT rule, and each model supports a maximum number of translated
IP addresses (for all NAT rules combined). If oversubscription causes
the maximum translated addresses per rule (256) to be exceeded,
the firewall will automatically reduce the oversubscription ratio
in an effort to have the commit succeed. However, if your NAT rules
result in translations that exceed the maximum translated addresses
for the model, the commit will fail.