https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15707#M11493 <HTML><HEAD></HEAD><BODY><P>Well, I've finally had chance to try and test this.</P><P></P><P>I configured a dynamic NAT and set the nat reserve-ip to yes and the reserve-time to 30 seconds.</P><P></P><P>The connection information in the Traffic monitor showed that my client had received the IP address in the translation that I had expected (no source port translation as configured).</P><P></P><P>Unfortunately I could not fins any log event to show that the address had been reserved to my client nor could I find anything to show the reserved NAT being released after the 30 second timeout I had configured.</P><P></P><P>I would be grateful to hear if anyone else has a different experience, but must assume that the answer to my question is NO</P><P></P><P>David</P></BODY></HTML> Tue, 05 Nov 2013 14:56:09 GMT dflanders 2013-11-05T14:56:09Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15706#M11492 <HTML><HEAD></HEAD><BODY><P><BR />I have been researching Dynamic IP NAT, and have found the option to configure Dynamic IP address pools to reserve IP addresses for translation. Taken from "Understanding and Configuring NAT Tech Note":</P><P></P><P><EM>Reserving IP Addresses</EM></P><P></P><P><EM>Dynamic-IP address pools can be configured to reserve IP addresses for translation. By default, the IP reservation setting, </EM></P><P><EM>reserve-ip, is disabled. If reserve-ip is set to yes, reserve-time must also be set to a value between 1-604800&nbsp; </EM></P><P><EM>seconds (30 days). If set, the dynamic IP rules will support reserving an IP address up to the user specified reserve-time after </EM></P><P><EM>all sessions of that original source IP address translation expire. For example, if reserve-time is set to 8 hours, when the </EM></P><P><EM>last session of the original source IP expires, the translated IP will be reserved for another 8 hours. During this time the IP </EM></P><P><EM>address is “reserved” for the original source IP address. This means that other hosts will not be able to get a translated IP </EM></P><P><EM>address from the pool even if there are active sessions because all translated IP addresses are reserved. IP reservation is </EM></P><P><EM>configured from the CLI as follows:</EM></P><P></P><P><EM>admin@PA# set setting nat reserve-ip &lt;yes/no&gt;</EM></P><P><EM>admin@PA# set setting nat reserve-time &lt; 1-604800 secs&gt;</EM></P><P></P><P>Once this is configured, will the PAN write log entries anywhere to show the address is allocated and that it has been released?</P><P></P><P>Thanks</P><P>David</P></BODY></HTML> Mon, 21 Oct 2013 08:52:32 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15706#M11492 dflanders 2013-10-21T08:52:32Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15707#M11493 <HTML><HEAD></HEAD><BODY><P>Well, I've finally had chance to try and test this.</P><P></P><P>I configured a dynamic NAT and set the nat reserve-ip to yes and the reserve-time to 30 seconds.</P><P></P><P>The connection information in the Traffic monitor showed that my client had received the IP address in the translation that I had expected (no source port translation as configured).</P><P></P><P>Unfortunately I could not fins any log event to show that the address had been reserved to my client nor could I find anything to show the reserved NAT being released after the 30 second timeout I had configured.</P><P></P><P>I would be grateful to hear if anyone else has a different experience, but must assume that the answer to my question is NO</P><P></P><P>David</P></BODY></HTML> Tue, 05 Nov 2013 14:56:09 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15707#M11493 dflanders 2013-11-05T14:56:09Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15708#M11494 <HTML><HEAD></HEAD><BODY><P>Hello Dflanders,</P><P></P><P>Here is a command to check the nat mappings by running the below command hope that would help you.</P><P></P><P>&gt; test nat-policy-match source 20.20.20.20 destination 10.66.25.131 destination-port 80 protocol 6</P><P></P><P>Source-NAT: Rule matched: In-Out</P><P>20.20.20.20:0 =&gt; 10.66.25.131:32353 (6),</P><P></P><P>For traffic coming from&nbsp; 20.20.20.20 destined to Public IP in my case 10.66.25.131, it gives the mapping below and the Nat rule name matching.</P></BODY></HTML> Tue, 05 Nov 2013 16:04:51 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15708#M11494 Phoenix 2013-11-05T16:04:51Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15709#M11495 <HTML><HEAD></HEAD><BODY><P>Hi Phoenix,</P><P></P><P>That's a helpful thought and the command would be useful in checking that the configuration is as required. Unfortunately, the end customer is looking to find logging of the reservation&nbsp; and release as the NAT is allocated (and I haven't been able to find any logging).</P><P></P><P>I am in the process of trying to get a feature request in place, so we'll have to see what comes out.</P><P></P><P>Regards</P><P>David</P></BODY></HTML> Tue, 05 Nov 2013 16:09:42 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15709#M11495 dflanders 2013-11-05T16:09:42Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15710#M11496 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>Are you seeing any output for the following CLI command:</P><P>&gt; show log system direction equal backward subtype equal nat</P><P></P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 05 Nov 2013 16:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15710#M11496 kadak 2013-11-05T16:30:25Z https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15711#M11497 <HTML><HEAD></HEAD><BODY><P>Hello Kunal,</P><P></P><P>I've tested the connectivity again, and although the correct NAT operations occur, there is no output from the command you suggest - all I get is the heading as per this:-</P><P></P><P>Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Severity Subtype Object EventID ID Description</P><P>===============================================================================</P><P>admin@Test-Demo-PA-500&gt;</P><P></P><P>It doesn't look like there is any discrete logging of the allocation and deallocation events.</P><P></P><P>I am trying to get a Feature Request under way for the end customer who is looking into thsi usage.</P><P></P><P>Regards</P><P>David</P></BODY></HTML> Wed, 06 Nov 2013 10:52:14 GMT https://live.paloaltonetworks.com/t5/general-topics/if-we-configure-dynamic-ip-address-pools-to-reserve-ip-addresses/m-p/15711#M11497 dflanders 2013-11-06T10:52:14Z