Dynamic IP and Port NAT Oversubscription
Dynamic IP and Port (DIPP) NAT allows you to use each translated IP address and port pair multiple times (8, 4, or 2 times) in concurrent sessions. This reusability of an IP address and port (known as oversubscription) provides scalability for customers who have too few public IP addresses. The design is based on the assumption that hosts are connecting to different destinations, therefore sessions can be uniquely identified and collisions are unlikely. The oversubscription rate in effect multiplies the original size of the address/port pool to 8, 4, or 2 times the size. For example, the default limit of 64K concurrent sessions allowed, when multiplied by an oversubscription rate of 8, results in 512K concurrent sessions allowed.
The oversubscription rates that are allowed vary based on the model. The oversubscription rate is global; it applies to the firewall. This oversubscription rate is set by default and consumes memory, even if you have enough public IP addresses available to make oversubscription unnecessary. You can reduce the rate from the default setting to a lower setting or even 1 (which means no oversubscription). By configuring a reduced rate, you decrease the number of source device translations possible, but increase the DIP and DIPP NAT rule capacities. To change the default rate, see Modify the Oversubscription Rate for DIPP NAT.
If you select Platform Default, your explicit configuration of oversubscription is turned off and the default oversubscription rate for the model applies, as shown in the table below. The Platform Default setting allows for an upgrade or downgrade of a software release.
The following table lists the default (highest) oversubscription rate for each model.
Default Oversubscription Rate
The firewall supports a maximum of 256 translated IP addresses per NAT rule, and each model supports a maximum number of translated IP addresses (for all NAT rules combined). If oversubscription causes the maximum translated addresses per rule (256) to be exceeded, the firewall will automatically reduce the oversubscription ratio in an effort to have the commit succeed. However, if your NAT rules result in translations that exceed the maximum translated addresses for the model, the commit will fail.
Modify the Oversubscription Rate for DIPP NAT
Modify the Oversubscription Rate for DIPP NAT If you have enough public IP addresses that you do not need to use DIPP NAT oversubscription, you ...
Source NAT Source NAT is typically used by internal users to access the Internet; the source address is translated and thereby kept private. There are ...
NAT Rule Capacities
NAT Rule Capacities The number of NAT rules allowed is based on the firewall model. Individual rule limits are set for static, Dynamic IP (DIP), ...
Configure Session Settings
Configure Session Settings This topic describes various settings for sessions other than timeout values. Perform these tasks if you need to change the default settings. ...
Session Settings The following table describes session settings. Session Settings Description Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply ...
Configure NAT Perform the following tasks to configure various aspects of NAT. In addition to the examples below, there are examples in the section NAT ...
NAT This section describes Network Address Translation (NAT) and how to configure the firewall for NAT. NAT allows you to translate private, non-routable IPv4 addresses ...
Dataplane NAT Memory Statistics
Dataplane NAT Memory Statistics The show running global-ippool command displays statistics related to NAT memory consumption for a pool. The Size column displays the number ...
NAT Translated Packet Tab
NAT Translated Packet Tab Policy > NAT > Translated Packet For Source Address Translation, select the Translated Packet tab to determine the type of translation ...