Enter the following commands:
admin@PA-3250# set vsys <vsysid> setting nat reserve-ip yes
admin@PA-3250# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
For
example, suppose there is a Dynamic IP NAT pool of 30 addresses
and there are 20 translations in progress when the nat reserve-time is set
to 28800 seconds (8 hours). Those 20 translations are now reserved,
so that when the last session (of any application) that uses each
source IP/translated IP mapping expires, the translated IP address
is reserved for only that source IP address for 8 hours, in case
that source IP address needs translation again. Additionally, as
the 10 remaining translated addresses are allocated, they each are
reserved for their source IP address, each with a timer that begins
when the last session for that source IP address expires.
In
this manner, each source IP address can be repeatedly translated
to its same NAT address from the pool; another host will not be
assigned a reserved translated IP address from the pool, even if
there are no active sessions for that translated address.
Suppose
a source IP/translated IP mapping has all of its sessions expire,
and the reservation timer of 8 hours begins. After a new session
for that translation begins, the timer stops, and the sessions continue
until they all end, at which point the reservation timer starts
again, reserving the translated address.
The reservation timer
remain in effect on the Dynamic IP NAT pool until you disable it
by entering the set setting nat reserve-ip no command
or you change the nat reserve-time to a different value.
The
CLI commands for reservations do not affect Dynamic IP and Port
(DIPP) or Static IP NAT pools.
