If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Reply
L2 Linker

If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?


I have been researching Dynamic IP NAT, and have found the option to configure Dynamic IP address pools to reserve IP addresses for translation. Taken from "Understanding and Configuring NAT Tech Note":

Reserving IP Addresses

Dynamic-IP address pools can be configured to reserve IP addresses for translation. By default, the IP reservation setting,

reserve-ip, is disabled. If reserve-ip is set to yes, reserve-time must also be set to a value between 1-604800 

seconds (30 days). If set, the dynamic IP rules will support reserving an IP address up to the user specified reserve-time after

all sessions of that original source IP address translation expire. For example, if reserve-time is set to 8 hours, when the

last session of the original source IP expires, the translated IP will be reserved for another 8 hours. During this time the IP

address is “reserved” for the original source IP address. This means that other hosts will not be able to get a translated IP

address from the pool even if there are active sessions because all translated IP addresses are reserved. IP reservation is

configured from the CLI as follows:

admin@PA# set setting nat reserve-ip <yes/no>

admin@PA# set setting nat reserve-time < 1-604800 secs>

Once this is configured, will the PAN write log entries anywhere to show the address is allocated and that it has been released?

Thanks

David

L2 Linker

Re: If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Well, I've finally had chance to try and test this.

I configured a dynamic NAT and set the nat reserve-ip to yes and the reserve-time to 30 seconds.

The connection information in the Traffic monitor showed that my client had received the IP address in the translation that I had expected (no source port translation as configured).

Unfortunately I could not fins any log event to show that the address had been reserved to my client nor could I find anything to show the reserved NAT being released after the 30 second timeout I had configured.

I would be grateful to hear if anyone else has a different experience, but must assume that the answer to my question is NO

David

L4 Transporter

Re: If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Hello Dflanders,

Here is a command to check the nat mappings by running the below command hope that would help you.

> test nat-policy-match source 20.20.20.20 destination 10.66.25.131 destination-port 80 protocol 6

Source-NAT: Rule matched: In-Out

20.20.20.20:0 => 10.66.25.131:32353 (6),

For traffic coming from  20.20.20.20 destined to Public IP in my case 10.66.25.131, it gives the mapping below and the Nat rule name matching.

L2 Linker

Re: If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Hi Phoenix,

That's a helpful thought and the command would be useful in checking that the configuration is as required. Unfortunately, the end customer is looking to find logging of the reservation  and release as the NAT is allocated (and I haven't been able to find any logging).

I am in the process of trying to get a feature request in place, so we'll have to see what comes out.

Regards

David

L5 Sessionator

Re: If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Hello David,

Are you seeing any output for the following CLI command:

> show log system direction equal backward subtype equal nat

Thanks and regards,

Kunal Adak

L2 Linker

Re: If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

Hello Kunal,

I've tested the connectivity again, and although the correct NAT operations occur, there is no output from the command you suggest - all I get is the heading as per this:-

Time                Severity Subtype Object EventID ID Description

===============================================================================

admin@Test-Demo-PA-500>

It doesn't look like there is any discrete logging of the allocation and deallocation events.

I am trying to get a Feature Request under way for the end customer who is looking into thsi usage.

Regards

David

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!