https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20288#M14773 <HTML><HEAD></HEAD><BODY><P>For reasons I will not go into here, I want to take outbound traffic from secure to unsecure and convert it from a many to 1 NAT rule to a many to many NAT rule.&nbsp;&nbsp; I have 1024 public IP addresses.&nbsp; I want to take a section of my network and provide around 1000 devices with a NAT pool of around 254 addresses.&nbsp;&nbsp; Is this possible?&nbsp;&nbsp; I've tried this with other firewall vendors and have run into bugs. </P><P></P><P>I found this in the admin guide.</P><P style="padding-left: 30px;">Dynamic IP—For outbound traffic. Private source addresses translate to the next available address in the specified address range. Dynamic IP NAT policies allow you to specify a single IP address, an IP range, or a subnet as the translation address pool. If the source address pool is larger than the translated address pool, <STRONG>new IP addresses seeking translation will be blocked</STRONG> while the translated address pool is fully utilized.</P><P style="padding-left: 30px;"></P><P>And I found this document: <A __default_attr="1517" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> which leads me to believe that the over subscription issue applies to Dynamic-IP, but not to Dynamic-IP-and-Port.</P><P style="padding-left: 30px;"></P><P>Can I oversubscribe Dynamic-IP-and-Port without running into the blocking issue?</P></BODY></HTML> Mon, 15 Oct 2012 15:59:27 GMT EdwinD 2012-10-15T15:59:27Z https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20288#M14773 <HTML><HEAD></HEAD><BODY><P>For reasons I will not go into here, I want to take outbound traffic from secure to unsecure and convert it from a many to 1 NAT rule to a many to many NAT rule.&nbsp;&nbsp; I have 1024 public IP addresses.&nbsp; I want to take a section of my network and provide around 1000 devices with a NAT pool of around 254 addresses.&nbsp;&nbsp; Is this possible?&nbsp;&nbsp; I've tried this with other firewall vendors and have run into bugs. </P><P></P><P>I found this in the admin guide.</P><P style="padding-left: 30px;">Dynamic IP—For outbound traffic. Private source addresses translate to the next available address in the specified address range. Dynamic IP NAT policies allow you to specify a single IP address, an IP range, or a subnet as the translation address pool. If the source address pool is larger than the translated address pool, <STRONG>new IP addresses seeking translation will be blocked</STRONG> while the translated address pool is fully utilized.</P><P style="padding-left: 30px;"></P><P>And I found this document: <A __default_attr="1517" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> which leads me to believe that the over subscription issue applies to Dynamic-IP, but not to Dynamic-IP-and-Port.</P><P style="padding-left: 30px;"></P><P>Can I oversubscribe Dynamic-IP-and-Port without running into the blocking issue?</P></BODY></HTML> Mon, 15 Oct 2012 15:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20288#M14773 EdwinD 2012-10-15T15:59:27Z https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20289#M14774 <HTML><HEAD></HEAD><BODY><P>Edwin,</P><P></P><P>When you use Dynamic IP and Port, you translate all your private addresses to a <STRONG>SINGLE</STRONG> ip address and on different ports whereas dynamic ip lets you specify a range of addresses. Also, if your source pool(N) is greater than the translation address pool(M), the M+1 connection will be dropped. In your case, if you want to translate 1000 ips to different addresses, use a NAT pool of 1000 addresses.</P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Mon, 15 Oct 2012 16:19:31 GMT https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20289#M14774 zarina 2012-10-15T16:19:31Z https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20290#M14775 <HTML><HEAD></HEAD><BODY><P>How come this is this way and is this due to a hardware limitation (or can it be fixed by a feature request)?</P><P></P><P>Because if one just use dynamic ip then the source port will not be changed which means that if the source port is already used by some other client then client2 wont be able to establish an outbound connection (not until the first established connection is shutdown).</P><P></P><P>This is fixed by using dynamic ip + dynamic port which will just select any &gt;1023 available port and map this to the current connection (client) no matter who the client it is on the inside.</P><P></P><P>But when using a pool along with dynamic ip + dynamic port I would expect the same behaviour. That it starts by 1 dynamic ip out of the pool per client. But when client M+1 shows up it would just select any available dynamic ip + dynamic port (and continue to use that dynamic ip pair) - or for that matter start again from the first ip in the pool.</P><P></P><P>If we compare this to a manual setup it would be:</P><P></P><P>client1+5, use dynamic ip 1.1.1.1 + dynamic port.</P><P>client 2+6, use dynamic ip 1.1.1.2 + dynamic port.</P><P>client 3, use dynamic ip 1.1.1.3 + dynamic port.</P><P>client 4, use dynamic ip 1.1.1.4 + dynamic port.</P></BODY></HTML> Tue, 16 Oct 2012 02:38:37 GMT https://live.paloaltonetworks.com/t5/general-topics/outbound-nat-pool-question/m-p/20290#M14775 mikand 2012-10-16T02:38:37Z