How To Configure Fallback NAT if Dynamic IP Pool is Exhausted
Resolution
Issue
There are instances where we want to source NAT IP addresses to a pool of addresses (Dynamic Pool) and not perform IP and port translations (Dynamic IP and port). The Source NAT would work fine with no traffic issues for the originating sources, until the IP pool is exhausted (no more IP's available to use for NAT). After the pool is exhausted, any session for a new originating source will not be established and this will cause packet drops for this new traffic.
Resolution
PAN-OS 5.0 introduced a feature called "Fallback Dynamic IP translation" to help resolve this issue. Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. Addresses can be defined for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.*
Steps
The fallback translating method can be configured to use an alternate way to translate the source IP addresses for the new originating sources, once the pool is exhausted. The fallback is configured under the "Advanced (Dynamic IP/Port Fallback) setting, as follows:
- Go to the Translated Packet tab of the NAT policy rule.
- Select "Translated Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)"
- Configure another address pool for Dynamic IP
- Select "Interface Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)"
- Configure Interface-based port translation (Dynamic IP and Port )
Note: When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.
*Sourced from the Help Guide > Policies and Security Profiles > Table 148. NAT Rule Settings (Translated Packet Tab)
owner: kprakash