One type of source NAT is Dynamic IP and Port (DIPP), which allows multiple hosts to have their source IP address translated to a single public IP address with different port numbers.

VoIP, video, cloud-based video conferencing, audio conferencing, and other applications often use DIPP and may require the Session Traversal Utilities for NAT (STUN) protocol. DIPP NAT uses symmetric NAT, which may have compatibility issues with applications that use STUN. To alleviate these issues, persistent NAT for DIPP provides additional support for connectivity with such applications.

Beginning with PAN-OS 10.1.6, persistent NAT for DIPP is available on VM-Series firewalls and single-dataplane firewalls. Beginning with PAN-OS 10.1.7, it is available on all firewalls.

When persistent NAT for DIPP is enabled, the binding of a private source IP address/port pair to a specific public (translated) source IP address/port pair persists for subsequent sessions that come in with the same original source IP address/port pair. The following example shows three sessions:

In this example, original source IP address/port 10.1.1.5:2966 is bound to the translated source IP address/port 192.168.1.6:1077 in Session 1. That binding is persistent in Session 2 and Session 3, which have the same original source IP address/port as Session 1, but different destination addresses. The persistence of the binding ends after all of the sessions for that source IP address/port pair have ended.

In Session 1 of the example, the Destination port is 3478, the default STUN port.

When persistent NAT for DIPP is enabled, it applies to all NAT and NAT64 rules subsequently configured; it is a global setting. Management plane or dataplane logs will indicate NAT DIPP/STUN support has been enabled.

The persistent NAT for DIPP setting (enabled or disabled) survives across firewall reboots.

Perform this task to enable persistent NAT for DIPP.