I have been researching Dynamic IP NAT, and have found the option to configure Dynamic IP address pools to reserve IP addresses for translation. Taken from "Understanding and Configuring NAT Tech Note":
Reserving IP Addresses
Dynamic-IP address pools can be configured to reserve IP addresses for translation. By default, the IP reservation setting,
reserve-ip, is disabled. If reserve-ip is set to yes, reserve-time must also be set to a value between 1-604800
seconds (30 days). If set, the dynamic IP rules will support reserving an IP address up to the user specified reserve-time after
all sessions of that original source IP address translation expire. For example, if reserve-time is set to 8 hours, when the
last session of the original source IP expires, the translated IP will be reserved for another 8 hours. During this time the IP
address is “reserved” for the original source IP address. This means that other hosts will not be able to get a translated IP
address from the pool even if there are active sessions because all translated IP addresses are reserved. IP reservation is
configured from the CLI as follows:
admin@PA# set setting nat reserve-ip <yes/no>
admin@PA# set setting nat reserve-time < 1-604800 secs>
Once this is configured, will the PAN write log entries anywhere to show the address is allocated and that it has been released?
Well, I've finally had chance to try and test this.
I configured a dynamic NAT and set the nat reserve-ip to yes and the reserve-time to 30 seconds.
The connection information in the Traffic monitor showed that my client had received the IP address in the translation that I had expected (no source port translation as configured).
Unfortunately I could not fins any log event to show that the address had been reserved to my client nor could I find anything to show the reserved NAT being released after the 30 second timeout I had configured.
I would be grateful to hear if anyone else has a different experience, but must assume that the answer to my question is NO
Here is a command to check the nat mappings by running the below command hope that would help you.
> test nat-policy-match source 18.104.22.168 destination 10.66.25.131 destination-port 80 protocol 6
Source-NAT: Rule matched: In-Out
22.214.171.124:0 => 10.66.25.131:32353 (6),
For traffic coming from 126.96.36.199 destined to Public IP in my case 10.66.25.131, it gives the mapping below and the Nat rule name matching.
That's a helpful thought and the command would be useful in checking that the configuration is as required. Unfortunately, the end customer is looking to find logging of the reservation and release as the NAT is allocated (and I haven't been able to find any logging).
I am in the process of trying to get a feature request in place, so we'll have to see what comes out.
Are you seeing any output for the following CLI command:
> show log system direction equal backward subtype equal nat
Thanks and regards,
I've tested the connectivity again, and although the correct NAT operations occur, there is no output from the command you suggest - all I get is the heading as per this:-
Time Severity Subtype Object EventID ID Description
It doesn't look like there is any discrete logging of the allocation and deallocation events.
I am trying to get a Feature Request under way for the end customer who is looking into thsi usage.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!