Configure Destination NAT Using Dynamic IP Addresses
You can use Destination NAT to translate the original destination address to a destination host or server that has a dynamic IP address and uses an FQDN. Destination NAT using a dynamic IP address is especially helpful in cloud deployments, which typically use dynamic IP addressing. When the host or server in the cloud has new (dynamic) IP addresses, you don’t have to manually update the NAT policy rule by continuously querying the DNS server, nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping.
In the following example topology, clients want to reach servers that are hosting web applications in the cloud. An external Elastic Load Balancer (ELB) connects to firewalls, which connect to internal ELBs that connect to the servers. Over time, Amazon Web Services (AWS), for example, adds (or removes) IP addresses for the FQDN assigned to the internal ELBs based on the demand for services. The flexibility of using an FQDN for NAT to the internal ELB helps the policy to resolve to different IP addresses at different times, making destination NAT easier to use because the updates are dynamic.
- Create an address object using the FQDN of the
server to which you want to translate the address. (The address
object could also be an IP netmask or IP range.)
- Select ObjectsAddresses and Add an address object by Name, such as post-NAT-Internal-ELB.
- Select FQDN as the Type and enter the FQDN. In this example, the FQDN is ielb.appweb.com.
- Click OK.
- Create the destination NAT policy.
- Select PoliciesNAT and Add a NAT policy rule by Name on the General tab.
- Select ipv4 as the NAT Type.
- On the Original Packet tab, Add the Source Zone and Destination Zone.
- On the Translated Packet tab, in the Destination Address Translation section, select Dynamic IP (with session distribution) as the Translation Type.
- For Translated Address, select the address object you created for the FQDN, IP netmask or IP range. In this example, the FQDN is post-NAT-Internal-ELB.
- For Session Distribution Method,
select one of the following:
The firewall does not remove duplicate IP addresses from the list of destination IP addresses before it distributes sessions among the multiple IP addresses. The firewall distributes sessions to the duplicate addresses in the same way it distributes sessions to non-duplicate addresses. (Duplicate addresses in the translation pool can occur, for example, if the translated address is an address group of address objects, and one address object is an FQDN that resolves to an IP address, and another address object is a range that includes the same IP address.)
- Round Robin—(default) Assigns new sessions to IP addresses in rotating order. Unless you have a reason to change the distribution method, round robin distribution is likely suitable.
- Source IP Hash—Assigns new sessions based on hash of source IP address. If you have traffic coming from a single source IP address, select a method other than Source IP Hash.
- IP Modulo—The firewall takes into consideration the source and destination IP address from the incoming packet; the firewall performs an XOR operation and a modulo operation; the result determines to which IP address the firewall assigns new sessions.
- IP Hash—Assigns new sessions based on hash of source and destination IP addresses.
- Least Sessions—Assigns new sessions to the IP address with the fewest concurrent sessions. If you have many short-lived sessions, Least Sessions will provide you with more balanced distribution of sessions.
- Click OK.
- Commit your changes.
- (Optional) You can configure the frequency at which the firewall refreshes an FQDN (Use Case 1: Firewall Requires DNS Resolution).
Advanced Session Distribution Algorithms for Destination NAT
When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming ...
NAT Translated Packet Tab
NAT Translated Packet Tab Policy > NAT > Translated Packet For Source Address Translation, select the Translated Packet tab to determine the type of translation ...
Destination NAT Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates ...
Enable Clients on the Internal Network to Access your Publi...
Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT) When a user on the internal network sends a request for ...
Source and Destination NAT Example
Source and Destination NAT Example In this example, NAT rules translate both the source and destination IP address of packets between the clients and the ...
Translate Internal Client IP Addresses to Your Public IP Ad...
Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT) When a client on your internal network sends a request, the source ...
Session Distribution Policy Descriptions
Session Distribution Policy Descriptions The following table provides information about Session Distribution Policies to help you decide which policy best fits your environment and firewall ...
Reserve Dynamic IP NAT Addresses
Reserve Dynamic IP NAT Addresses You can reserve Dynamic IP NAT addresses (for a configurable period of time) to prevent them from being allocated as ...