Dynamic IP and Port (DIPP) NAT allows you to use each
translated IP address and port pair multiple times (8, 4, or 2 times)
in concurrent sessions. This reusability of an IP address and port
(known as oversubscription) provides scalability for customers who
have too few public IP addresses. The design is based on the assumption
that hosts are connecting to different destinations, therefore sessions can
be uniquely identified and collisions are unlikely. The oversubscription
rate in effect multiplies the original size of the address/port
pool to 8, 4, or 2 times the size. For example, the default limit
of 64K concurrent sessions allowed, when multiplied by an oversubscription
rate of 8, results in 512K concurrent sessions allowed.
The oversubscription rates that are allowed vary based on the
platform. The oversubscription rate is global; it applies to the
firewall. This oversubscription rate is set by default and consumes
memory, even if you have enough public IP addresses available to
make oversubscription unnecessary. You can reduce the rate from
the default setting to a lower setting or even 1 (which means no
oversubscription). By configuring a reduced rate, you decrease the
number of source device translations possible, but increase the
DIP and DIPP NAT rule capacities. To change the default rate, see Modify the Oversubscription Rate for DIPP NAT.
If you select
, your explicit
configuration of oversubscription is turned off and the default
oversubscription rate for the platform applies, as shown in the
table below. The
allows for an upgrade or downgrade of a software release.
The following table lists the default (highest) oversubscription
rate for each platform.
Default Oversubscription Rate
The firewall supports a maximum of 256 translated IP addresses
per NAT rule, and each platform supports a maximum number of translated
IP addresses (for all NAT rules combined). If oversubscription causes
the maximum translated addresses per rule (256) to be exceeded,
the firewall will automatically reduce the oversubscription ratio
in an effort to have the commit succeed. However, if your NAT rules
result in translations that exceed the maximum translated addresses
for the platform, the commit will fail.