• NAT-Src from a DIP Pool with PAT Enabled on page 18
• NAT-Src from a DIP Pool with PAT Disabled on page 21
• NAT-Src from a DIP Pool with Address Shifting on page 23
• NAT-Src from the Egress Interface IP Address on page 27
Introduction to NAT-Src
It is sometimes necessary for the security device to translate the original source IP address in an IP packet header to another address. For example, when hosts with private IP addresses initiate traffic to a public address space, the security device must translate the private source IP address to a public one. Also, when sending traffic from one private address space through a VPN to a site using the same addresses, the security devices at both ends of the tunnel must translate the source and destination IP addresses to mutually neutral addresses.
NOTE: For information about public and private IP addresses, see Public IP Addresses and Private IP Addresses.
A dynamic IP (DIP) address pool provides the security device with a supply of addresses from which to draw when performing Source Network Address Translation (NAT-src).
When a policy requires NAT-src and references a specific DIP pool, the security device draws addresses from that pool when performing the translation.
NOTE: The DIP pool must use addresses within the same subnet as the default interface in the destination zone referenced in the policy. If you want to use a DIP pool with addresses outside the subnet of the destination zone interface, you must define a DIP pool on an extended interface. For more information, see Using DIP in a Different Subnet.
The DIP pool can be as small as a single IP address, which, if you enable Port Address Translation (PAT), can support up to 64,500 hosts concurrently. Although all packets receiving a new source IP address from that pool get the same address, they each get a different port number. The unique port number assigned for each IP address can be used only once and can support up to 62463 sessions per IP address. By maintaining a session table entry that matches the original address and port number with the translated address and port number, the security device can track which packets belong to which session and which sessions belong to which hosts.
NOTE: When PAT is enabled, the security device also maintains a pool of free port numbers to assign along with addresses from the DIP pool. The figure of up to 64,500 is derived by subtracting 1023, the numbers reserved for the well-known ports, from the maximum number of ports, which is 65,535.
The DIP pool supports more ports per session only if two packets have different destination IP addresses. The security device translates different source IP addresses and port numbers to a single IP address and port number without any conflict as long as the destination IP packets are different.
To enable a DIP pool to support more ports per session, you create port pools. A port pool consists of all available ports for an IP address. You override the port pool for a group of destination IP addresses that have the same hash value. The number of times you override the port pool of an IP address is determined by the scale-size. You can configure the scale-size using the following CLI:
set interface interface [ ext ip ip_addr/mask ] dip id_num ip_addr1 [ ip_addr2 ] [ random-port | incoming ] [ scale-size number ]
By default, scale-size is 1. The maximum scale-size for an interface cannot exceed the dip-scale-size value specified in the vsys profile.
After you configure the scale-size, an IP address will have multiple port pools. When the packets arrive, screenOS calculates the hash value using the destination IP address and the scale-size. Based on the hash value, a port number is allocated from the port pool.
Every port pool will have 62463 single ports. Hence, every IP address can support up to scale-size* 62463 sessions.
In this example, you assign ethernet3/1 an IP Address Range–1.1.1.23 to 1.1.1.26 with DIP ID 5. Set the Scale Size to 2 and the DIP Scale Size of the vsys profile to 2.
WebUI
Network > Interface > Edit (for ethernet3/1) > DIP: Enter the following, then click OK:
ID: 5
IP Address Range: 1.1.1.23 ~ 1.1.1.26 Port Translation: (select)
Scale Size: 2
Vsys > Profile > Edit: Enter the following, then click OK:
DIP Scale Size: 2
CLI
set interface etherent3/1 dip 5 1.1.1.23 1.1.1.26 scale-size 2 get interface ethernet3/1 dip 5 detail
set vsys-profile name dip-scale-size 2 get vsys-profile
After you configure the scale-size, every IP address supports up to scale-size* 62463 sessions.
In transparent mode, the current version of ScreenOS supports only policy based NAT-src with the dip pool built on the extended VLAN interface. To perform the address translation, you must configure a DIP pool on the VLAN interface and use the extended interface option to define an address range for the DIP pool. For more information, see Using DIP in a Different Subnet.
In the following example, you configure various DIP pools such as fix-port, port-xlate, and ip-shift on the vlan1 interface.
WebUI
1. Interfaces
Network>Interface>Edit (vlan1): Enter the following, then click OK:
Zone Name: VLAN
Ip Address/ Netmask: 10.10.10.1/24 2. DIP
Network > Interfaces > Edit (for vlan1) > DIP > New: Enter the following, then click OK:
ID: 21
IP Address Range (select), 20.20.20.1 ~ 20.20.20.10 Port translation (select)
IP Shift (select), From 5.5.5.1 To 20.20.20.50 ~ 20.20.20.59 In the same subnet as the extended IP (select)
Extended Ip/Netmask: 20.20.20.1/24
CLI
set interface vlan1 ip 10.10.10.1/24
set interface vlan1 ext ip 20.20.20.1/24 dip 20 20.20.20.1 20.20.20.10
set interface vlan1 ext ip 20.20.20.1/24 dip 21 20.20.20.30 20.20.20.39 fix-port
set interface vlan1 ext ip 20.20.20.1/24 dip 22 shift-from 5.5.5.1 to 20.20.20.50 20.20.20.59 save
NOTE: In transparent mode, ScreenOS supports only policy based NAT-src on incoming packets.
If you use NAT-src but do not specify a DIP pool in the policy, the security device translates the source address to that of the egress interface in the destination zone. In such cases, PAT is required and automatically enabled.
For applications requiring that a particular source port number remain fixed, you must disable PAT and define a DIP pool with a range of IP addresses large enough for each concurrently active host to receive a different translated address. For fixed-port DIP, the security device assigns one translated source address to the same host for all its concurrent sessions. In contrast, when the DIP pool has PAT enabled, the security device might assign a single host different addresses for different concurrent sessions—unless you define the DIP as sticky (see Sticky DIP Addresses).