Reserve Dynamic IP NAT Addresses

You can reserve Dynamic IP NAT addresses (for a configurable period of time) to prevent them from being allocated as translated addresses to a different source IP address that needs translation. When configured, the reservation applies to all of the translated Dynamic IP addresses in progress and any new translations.
For both translations in progress and new translations, when a source IP address is translated to an available translated IP address, that pairing is retained even after all sessions related to that specific source IP are expired. The reservation timer for each source IP address begins after all sessions that use that source IP address translation expire. Dynamic IP NAT is a one-to-one translation; one source IP address translates to one translated IP address that is chosen dynamically from those addresses available in the configured pool. Therefore, a translated IP address that is reserved is not available for any other source IP address until the reservation expires because a new session has not started. The timer is reset each time a new session for a source IP/translated IP mapping begins, after a period when no sessions were active.
By default, no addresses are reserved. You can reserve Dynamic IP NAT addresses for the firewall or for a virtual system.
  • Reserve dynamic IP NAT addresses for a firewall.
    Enter the following commands:
    admin@PA-3020# set setting nat reserve-ip yes
    admin@PA-3020# set setting nat reserve-time <1-604800 secs>
  • Reserve dynamic IP NAT addresses for a virtual system.
    Enter the following commands:
    admin@PA-3020# set vsys <vsysid> setting nat reserve-ip yes
    admin@PA-3020# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
    For example, suppose there is a Dynamic IP NAT pool of 30 addresses and there are 20 translations in progress when the nat reserve-time is set to 28800 seconds (8 hours). Those 20 translations are now reserved, so that when the last session (of any application) that uses each source IP/translated IP mapping expires, the translated IP address is reserved for only that source IP address for 8 hours, in case that source IP address needs translation again. Additionally, as the 10 remaining translated addresses are allocated, they each are reserved for their source IP address, each with a timer that begins when the last session for that source IP address expires.
    In this manner, each source IP address can be repeatedly translated to its same NAT address from the pool; another host will not be assigned a reserved translated IP address from the pool, even if there are no active sessions for that translated address.
    Suppose a source IP/translated IP mapping has all of its sessions expire, and the reservation timer of 8 hours begins. After a new session for that translation begins, the timer stops, and the sessions continue until they all end, at which point the reservation timer starts again, reserving the translated address.
    The reservation timer remain in effect on the Dynamic IP NAT pool until you disable it by entering the set setting nat reserve-ip no command or you change the nat reserve-time to a different value.
    The CLI commands for reservations do not affect Dynamic IP and Port (DIPP) or Static IP NAT pools.

Related Documentation