You can reserve Dynamic IP NAT addresses (for
a configurable period of time) to prevent them from being allocated
as translated addresses to a different source IP address that needs
translation. When configured, the reservation applies to all of
the translated Dynamic IP addresses in progress and any new translations.
both translations in progress and new translations, when a source
IP address is translated to an available translated IP address,
that pairing is retained even after all sessions related to that
specific source IP are expired. The reservation timer for each source
IP address begins after all sessions that use that source IP address translation
expire. Dynamic IP NAT is a one-to-one translation; one source IP address
translates to one translated IP address that is chosen dynamically
from those addresses available in the configured pool. Therefore,
a translated IP address that is reserved is not available for any
other source IP address until the reservation expires because a
new session has not started. The timer is reset each time a new session
for a source IP/translated IP mapping begins, after a period when
no sessions were active.
By default, no addresses are reserved.
You can reserve Dynamic IP NAT addresses for the firewall or for
a virtual system.
Reserve dynamic IP NAT addresses for
Enter the following commands:
set setting nat reserve-ip yes
set setting nat reserve-time <1-604800 secs>
Reserve dynamic IP NAT addresses for a virtual system.
Enter the following commands:
set vsys <vsysid> setting nat reserve-ip yes
set vsys <vsysid> setting nat reserve-time <1-604800 secs>
example, suppose there is a Dynamic IP NAT pool of 30 addresses
and there are 20 translations in progress when the
is set to 28800 seconds (8 hours). Those
20 translations are now reserved, so that when the last session
(of any application) that uses each source IP/translated IP mapping
expires, the translated IP address is reserved for only that source
IP address for 8 hours, in case that source IP address needs translation
again. Additionally, as the 10 remaining translated addresses are
allocated, they each are reserved for their source IP address, each
with a timer that begins when the last session for that source IP
In this manner, each source IP address can
be repeatedly translated to its same NAT address from the pool;
another host will not be assigned a reserved translated IP address
from the pool, even if there are no active sessions for that translated
Suppose a source IP/translated IP mapping has all
of its sessions expire, and the reservation timer of 8 hours begins.
After a new session for that translation begins, the timer stops,
and the sessions continue until they all end, at which point the
reservation timer starts again, reserving the translated address.
reservation timer remain in effect on the Dynamic IP NAT pool until
you disable it by entering the
set setting nat reserve-ip
command or you change the
a different value.
The CLI commands for reservations do not
affect Dynamic IP and Port (DIPP) or Static IP NAT pools.