Professional Documents
Culture Documents
Use Cases
Overview
Below are the available source address translation types and the typical use case for each:
To add more IP addresses to the outbound pool change the address type to 'Translated Address' and add a
valid public IPs to the list. The firewall will load balance from the address pool base on each session.
Generated on 2015-03-22-07:00
1
Source NAT Translation Types and Typical Use Cases
Use the following CLI command to check the NAT pool utilization: > show running global-ippool
Dynamic IP
For a given source IP address, the firewall will translate the source IP to an IP in the pool or range defined.
The mapping is not port based which makes this a one-to-one mapping for as long as the session lasts. Each
concurrent session will utilize an address from the pool making it unavailable to other source IPs. Be aware,
when using this option because the translated pool of addresses can be exhausted if the number of internal
hosts concurrently creating outbound sessions exceed the amount of IP addresses in the dynamic pool. This
option would be used when there is more than one public IPs from the ISP, but not enough to allocate one to
each internal host on the network and only want to assign them to outbound hosts as needed. It is common to
assign a range of IP addresses to the dynamic pool:
Generated on 2015-03-22-07:00
2
Source NAT Translation Types and Typical Use Cases
To view the current NAT pool mappings for a given NAT policy run the following CLI command:
> show running nat-rule-ippool rule <NAT rule name>
Static IP
This translation type can be used to translate a single source address to a specific public address. This is
typically used when needing to expose a server (e-mail, web or any application) externally using a translated
address that will not change.
Selecting 'Yes' for Bi-directional will create the mapping in both directions based on the source\destination
zones that are specified. If 'Bi-directional' is set to 'No', then the mapping will only be created based on the
direction of the source\destination zones. Static NAT policies used for publicly exposed servers usually have
'Bi-directional' set to 'Yes', so the outbound traffic for the server will use the same address used for inbound
traffic, as shown below:
Generated on 2015-03-22-07:00
3
Source NAT Translation Types and Typical Use Cases
The Static IP mapping type can be used to translate an entire address range to a specific address range.
This will also be a one-to-one mapping. The number of source IPs using this policy must be an exact match
to the translated range. This is typically used to resolve overlapping IP ranges when merging networks. The
below policy will translate all source address with at 10.20.1.x address destine to the Corp Zone to a matching
address in the 10.30.1.x range:
owner: jteetsel
Generated on 2015-03-22-07:00
4