This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

If we configure Dynamic IP address pools to reserve IP addresses, is there any logging of NAT events?

dflanders
L2 Linker

‎10-21-2013 01:52 AM


I have been researching Dynamic IP NAT, and have found the option to configure Dynamic IP address pools to reserve IP addresses for translation. Taken from "Understanding and Configuring NAT Tech Note":

Reserving IP Addresses

Dynamic-IP address pools can be configured to reserve IP addresses for translation. By default, the IP reservation setting,

reserve-ip, is disabled. If reserve-ip is set to yes, reserve-time must also be set to a value between 1-604800 

seconds (30 days). If set, the dynamic IP rules will support reserving an IP address up to the user specified reserve-time after

all sessions of that original source IP address translation expire. For example, if reserve-time is set to 8 hours, when the

last session of the original source IP expires, the translated IP will be reserved for another 8 hours. During this time the IP

address is “reserved” for the original source IP address. This means that other hosts will not be able to get a translated IP

address from the pool even if there are active sessions because all translated IP addresses are reserved. IP reservation is

configured from the CLI as follows:

admin@PA# set setting nat reserve-ip <yes/no>

admin@PA# set setting nat reserve-time < 1-604800 secs>

Once this is configured, will the PAN write log entries anywhere to show the address is allocated and that it has been released?

Thanks

David

0 Likes Likes
5 REPLIES 5

dflanders
L2 Linker

‎11-05-2013 06:56 AM

Well, I've finally had chance to try and test this.

I configured a dynamic NAT and set the nat reserve-ip to yes and the reserve-time to 30 seconds.

The connection information in the Traffic monitor showed that my client had received the IP address in the translation that I had expected (no source port translation as configured).

Unfortunately I could not fins any log event to show that the address had been reserved to my client nor could I find anything to show the reserved NAT being released after the 30 second timeout I had configured.

I would be grateful to hear if anyone else has a different experience, but must assume that the answer to my question is NO

David

Phoenix
L4 Transporter
In response to dflanders

‎11-05-2013 08:04 AM

Hello Dflanders,

Here is a command to check the nat mappings by running the below command hope that would help you.

> test nat-policy-match source 20.20.20.20 destination 10.66.25.131 destination-port 80 protocol 6

Source-NAT: Rule matched: In-Out

20.20.20.20:0 => 10.66.25.131:32353 (6),

For traffic coming from  20.20.20.20 destined to Public IP in my case 10.66.25.131, it gives the mapping below and the Nat rule name matching.

dflanders
L2 Linker
In response to Phoenix

‎11-05-2013 08:09 AM

Hi Phoenix,

That's a helpful thought and the command would be useful in checking that the configuration is as required. Unfortunately, the end customer is looking to find logging of the reservation  and release as the NAT is allocated (and I haven't been able to find any logging).

I am in the process of trying to get a feature request in place, so we'll have to see what comes out.

Regards

David

0 Likes Likes

kadak
L5 Sessionator
In response to dflanders

‎11-05-2013 08:30 AM

Hello David,

Are you seeing any output for the following CLI command:

> show log system direction equal backward subtype equal nat

Thanks and regards,

Kunal Adak

dflanders
L2 Linker
In response to kadak

‎11-06-2013 02:52 AM

Hello Kunal,

I've tested the connectivity again, and although the correct NAT operations occur, there is no output from the command you suggest - all I get is the heading as per this:-

Time                Severity Subtype Object EventID ID Description

===============================================================================

admin@Test-Demo-PA-500>

It doesn't look like there is any discrete logging of the allocation and deallocation events.

I am trying to get a Feature Request under way for the end customer who is looking into thsi usage.

Regards

David

0 Likes Likes
  • 3368 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks