Source NAT is typically used by internal users to access
the Internet; the source address is translated and thereby kept
private. There are three types of source NAT:
Static IP—Allows the 1-to-1, static translation
of a source IP address, but leaves the source port unchanged. A
common scenario for a static IP translation is an internal server
that must be available to the Internet.
Dynamic IP—Allows the one-to-one, dynamic translation
of a source IP address only (no port number) to the next available
address in the NAT address pool. The size of the NAT pool should
be equal to the number of internal hosts that require address translations.
By default, if the source address pool is larger than the NAT address
pool and eventually all of the NAT addresses are allocated, new
connections that need address translation are dropped. To override
this default behavior, use Advanced (Dynamic IP/Port
Fallback) to enable use of DIPP addresses when necessary.
In either event, as sessions terminate and the addresses in the
pool become available, they can be allocated to translate new connections.
Dynamic IP and Port (DIPP)—Allows multiple hosts to have their source IP
addresses translated to the same public IP address with different port numbers.
The dynamic translation is to the next available address in the NAT address
pool, which you configure as a Translated Address pool be
to an IP address, range of addresses, a subnet, or a combination of these.
As an alternative to using the next address in the NAT address pool, DIPP allows
you to specify the address of the Interface itself. The
advantage of specifying the interface in the NAT rule is that the NAT rule will
be automatically updated to use any address subsequently acquired by the
interface. DIPP is sometimes referred to as interface-based NAT or network
address port translation (NAPT).
(Affects only PA-7000 Series firewalls that do not use second-generation
PA-7050-SMC-B or PA-7080-SMC-B Switch Management Cards) When you
use Point-to-Point Tunnel Protocol (PPTP) with DIPP NAT, the firewall is
limited to using a translated IP address-and-port pair for only one
connection; the firewall does not support DIPP NAT. The workaround is to
upgrade the PA-7000 Series firewall to a second-generation SMC-B card.
Beginning with PAN-OS 10.1.6, persistent NAT for DIPP is available on VM-Series
firewalls and single-dataplane firewalls. Beginning with PAN-OS 10.1.7, it is
available on all firewalls.
VoIP, video, cloud-based video conferencing, audio conferencing, and other
applications often use DIPP and may require the Session Traversal Utilities for
NAT (STUN) protocol. DIPP NAT uses symmetric NAT, which may have compatibility
issues with applications that use STUN. To alleviate these issues, persistent NAT for DIPP
provides additional support for connectivity with such applications.
Reboot the firewall after enabling or disabling
the global persistent-dipp option only when your firewall is already configured
with DIPP NAT policy rules. If your firewall does not have the DIPP NAT policies
configured already, then you can skip rebooting your firewall.
When persistent NAT for DIPP is enabled, the binding of a private source IP
address/port pair to a specific public (translated) source IP address/port pair
persists for subsequent sessions that arrive having that same original source IP
address/port pair. The following example shows three sessions:
In this example, original source IP address/port 10.1.1.5:2966 is bound to the
translated source IP address/port 192.168.1.6:1077 in Session 1. That binding is
persistent in Session 2 and Session 3, which have the same original source IP
address/port, but different destination addresses. The persistence of the
binding ends after all of the sessions for that source IP address/port pair have
ended.
In Session 1 of the example, the Destination port is 3478, the default STUN
port.
When persistent NAT for DIPP is enabled, it applies to all NAT and NAT64 rules; it's a global
setting. Management plane or dataplane logs will indicate NAT
DIPP/STUN support has been enabled.
The persistent NAT for DIPP setting (enabled or disabled) survives across
firewall reboots.