End-of-Life (EoL)

Dynamic IP Address Support for Destination NAT

Configure destination NAT to a host or a server that has a dynamic IP address and uses an FQDN, which is helpful in cloud deployments that use dynamic IP addressing.
Destination NAT is enhanced so that you can translate the original destination address to a destination host or server that has a dynamic IP address that is associated with an FQDN and can be resolved by DNS. It is especially helpful to Configure Destination NAT Using Dynamic IP Addresses in cloud deployments, which typically use dynamic IP addressing across multiple servers. Each time the host or server in the cloud receives a new (dynamic) IP address, you don’t have to manually update the NAT policy rule by continuously querying the DNS server, nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping. Dynamic IP (with session distribution) supports IPv4 addresses only. The dynamic IP translation type for destination NAT is in addition to the static, one-to-one translation that continues to be supported in this and earlier releases.
If an FQDN in the translated destination NAT address resolves to more than one IP address, the firewall automatically distributes translated sessions among those addresses (based on a round-robin algorithm) to provide improved session distribution.
Using the
Dynamic IP (with session distribution)
destination address type also allows you to translate multiple original destination IP addresses to multiple translated destination IP addresses. A many-to-many translation means, for example, that three original destination IP addresses and four translated destination IP addresses can result in 12 possible destination NAT translations using a single NAT rule.
You can configure the frequency at which the firewall refreshes an FQDN (Use Case 1: Firewall Requires DNS ResolutionforManagement Purposes).
  1. Create an address object using the FQDN of the ELB or server to which you want to translate the address.
  2. Create the destination NAT policy.
    1. Specify the original packet to use the publicly routed IP address of the service hosted behind the firewall.
    2. Configure the
      Translation Type
      for the translated packet as
      Dynamic IP (with session distribution)
    3. Enter the FQDN address object (that you created) as the
      Translated Address
    4. Click
  3. Commit
    your changes.

Recommended For You