Configure Destination NAT Using Dynamic IP Addresses

You can use destination NAT to translate the original destination address to a destination host or server that has a dynamic IP address and uses an FQDN. Destination NAT using a dynamic IP address is especially helpful in cloud deployments, which typically use dynamic IP addressing. When the host or server in the cloud has new (dynamic) IP addresses, you don’t have to manually update the NAT policy rule by continuously querying the DNS server, nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping.
If an FQDN in the translated destination address resolves to more than one IP address, the firewall automatically distributes translated sessions among those addresses (based on a round-robin algorithm) to provide improved session distribution. Each FQDN can support up to 32 IPv4 addresses and 32 IPv6 addresses. If a DNS server returns more than 32 addresses for an FQDN, the firewall uses the first 32 addresses in the packet.
Using destination NAT with a dynamic IP address allows you to translate multiple original destination IP addresses to multiple translated destination IP addresses. A many-to-many translation means, for example, if there are three original destination IP addresses and four translated destination IP addresses, there can be twelve possible destination NAT translations using a single NAT rule.
In the following example topology, clients want to reach servers that are hosting web applications in the cloud. An external Elastic Load Balancer (ELB) connects to firewalls, which connect to internal ELBs that connect to the servers. Over time, Amazon Web Services (AWS), for example, adds (or removes) IP addresses for the FQDN assigned to the internal ELBs based on the demand for services. The flexibility of using an FQDN for NAT to the internal ELB helps the policy to resolve to different IP addresses at different times, making destination NAT easier to use because the updates are dynamic.
  1. Create an address object using the FQDN of the server to which you want to translate the address.
    1. Select ObjectsAddresses and Add an address object by Name, such as post-NAT-Internal-ELB.
    2. Select FQDN as the Type and enter the FQDN. In this example, the FQDN is
    3. Click OK.
  2. Create the destination NAT policy.
    1. Select PoliciesNAT and Add a NAT policy rule by Name on the General tab.
    2. Select ipv4 as the NAT Type.
    3. On the Original Packet tab, Add the Source Zone and Destination Zone.
    4. On the Translated Packet tab, in the Destination Address Translation section, select Dynamic IP (with session distribution) as the Translation Type.
    5. For Translated Address, select the address object you created for the FQDN. In this example, the FQDN is post-NAT-Internal-ELB.
    6. Click OK.
  3. Commit your changes.
  4. (Optional) You can configure the frequency at which the firewall refreshes an FQDN (Use Case 1: Firewall Requires DNS Resolution for Management Purposes).

Related Documentation