Outbound NAT pool question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Outbound NAT pool question

L3 Networker

For reasons I will not go into here, I want to take outbound traffic from secure to unsecure and convert it from a many to 1 NAT rule to a many to many NAT rule.   I have 1024 public IP addresses.  I want to take a section of my network and provide around 1000 devices with a NAT pool of around 254 addresses.   Is this possible?   I've tried this with other firewall vendors and have run into bugs.

I found this in the admin guide.

Dynamic IP—For outbound traffic. Private source addresses translate to the next available address in the specified address range. Dynamic IP NAT policies allow you to specify a single IP address, an IP range, or a subnet as the translation address pool. If the source address pool is larger than the translated address pool, new IP addresses seeking translation will be blocked while the translated address pool is fully utilized.

And I found this document: which leads me to believe that the over subscription issue applies to Dynamic-IP, but not to Dynamic-IP-and-Port.

Can I oversubscribe Dynamic-IP-and-Port without running into the blocking issue?

1 accepted solution

Accepted Solutions

L5 Sessionator

Edwin,

When you use Dynamic IP and Port, you translate all your private addresses to a SINGLE ip address and on different ports whereas dynamic ip lets you specify a range of addresses. Also, if your source pool(N) is greater than the translation address pool(M), the M+1 connection will be dropped. In your case, if you want to translate 1000 ips to different addresses, use a NAT pool of 1000 addresses.

Thanks,

Sri

View solution in original post

2 REPLIES 2

L5 Sessionator

Edwin,

When you use Dynamic IP and Port, you translate all your private addresses to a SINGLE ip address and on different ports whereas dynamic ip lets you specify a range of addresses. Also, if your source pool(N) is greater than the translation address pool(M), the M+1 connection will be dropped. In your case, if you want to translate 1000 ips to different addresses, use a NAT pool of 1000 addresses.

Thanks,

Sri

How come this is this way and is this due to a hardware limitation (or can it be fixed by a feature request)?

Because if one just use dynamic ip then the source port will not be changed which means that if the source port is already used by some other client then client2 wont be able to establish an outbound connection (not until the first established connection is shutdown).

This is fixed by using dynamic ip + dynamic port which will just select any >1023 available port and map this to the current connection (client) no matter who the client it is on the inside.

But when using a pool along with dynamic ip + dynamic port I would expect the same behaviour. That it starts by 1 dynamic ip out of the pool per client. But when client M+1 shows up it would just select any available dynamic ip + dynamic port (and continue to use that dynamic ip pair) - or for that matter start again from the first ip in the pool.

If we compare this to a manual setup it would be:

client1+5, use dynamic ip 1.1.1.1 + dynamic port.

client 2+6, use dynamic ip 1.1.1.2 + dynamic port.

client 3, use dynamic ip 1.1.1.3 + dynamic port.

client 4, use dynamic ip 1.1.1.4 + dynamic port.

  • 1 accepted solution
  • 2286 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!