Configure Destination NAT Using Dynamic
IP Addresses
Use Destination NAT to translate
the original destination address to a destination host or server
that has a dynamic IP address and uses an FQDN. Destination NAT
using a dynamic IP address is especially helpful in cloud deployments,
which typically use dynamic IP addressing. When the host or server
in the cloud has new (dynamic) IP addresses, you don’t need to manually
update the NAT policy rule by continuously querying the DNS server,
nor do you need to use a separate, external component to update
the DNS server with the latest FQDN-to-IP address mapping.
When
you configure destination NAT using dynamic IP addresses, you should
use only an FQDN (not an IP netmask or IP range).
In the following
example topology, clients want to reach servers that are hosting
web applications in the cloud. An external Elastic Load Balancer
(ELB) connects to firewalls, which connect to internal ELBs that
connect to the servers. Over time, Amazon Web Services (AWS), for
example, adds (and removes) IP addresses for the FQDN assigned to
the internal ELBs based on the demand for services. The flexibility
of using an FQDN for NAT to the internal ELB helps the policy to
resolve to different IP addresses at different times, making destination
NAT easier to use because the updates are dynamic.
Create an address object using the FQDN of the
server to which you want to translate the address.
Select ObjectsAddresses and Add an
address object by Name, such as post-NAT-Internal-ELB.
Select FQDN as the Type and
enter the FQDN. In this example, the FQDN is ielb.appweb.com.
Click OK.
Create the destination NAT policy.
Select PoliciesNAT and Add a
NAT policy rule by Name on the General tab.
Select ipv4 as the NAT
Type.
On the Original Packet tab, Add the Source
Zone and Destination Zone.
On the Translated Packet tab,
in the Destination Address Translation section, select Dynamic
IP (with session distribution) as the Translation
Type.
For Translated Address, select
the address object you created for the FQDN. In this example, the
FQDN is post-NAT-Internal-ELB.
For Session Distribution Method,
select one of the following:
Round Robin (default)—Assigns
new sessions to IP addresses in rotating order. Unless you have
a reason to change the distribution method, round robin distribution
is likely suitable.
Source IP Hash—Assigns new sessions based
on hash of source IP address. If you have traffic coming from a
single source IP address, don’t select Source IP Hash; select a
different method.
IP Modulo—The firewall takes into consideration
the source and destination IP address from the incoming packet;
the firewall performs an XOR operation and a modulo operation; the
result determines to which IP address the firewall assigns new sessions.
IP Hash—Assigns new sessions based on
hash of source and destination IP addresses.
Least Sessions—Assigns new sessions to
the IP address with the fewest concurrent sessions. If you have
many short-lived sessions, Least Sessions provides
you with a more balanced distribution of sessions.
The firewall does not remove duplicate IP addresses
from the list of destination IP addresses before it distributes
sessions among the multiple IP addresses. The firewall distributes
sessions to the duplicate addresses in the same way it distributes
sessions to non-duplicate addresses. (Duplicate addresses in the
translation pool can occur, for example, if the translated address
is an address group of address objects, and one address object is
an FQDN that resolves to an IP address, while another address object
is a range that includes the same IP address.)