Dynamic IP Address Support for Destination NAT
Configure destination NAT to a host or a server that has a dynamic IP address and uses an FQDN, which is helpful in cloud deployments that use dynamic IP addressing.
Destination NAT is enhanced so that you can translate the original destination address to a destination host or server that has a dynamic IP address that is associated with an FQDN and can be resolved by DNS. It is especially helpful to Configure Destination NAT Using Dynamic IP Addresses in cloud deployments, which typically use dynamic IP addressing across multiple servers. Each time the host or server in the cloud receives a new (dynamic) IP address, you don’t have to manually update the NAT policy rule by continuously querying the DNS server, nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping. The dynamic IP translation type for destination NAT is in addition to the static, one-to-one translation that continues to be supported in this and earlier releases.
If an FQDN in the translated destination NAT address resolves to more than one IP address, the firewall automatically distributes translated sessions among those addresses (based on a round-robin algorithm) to provide improved session distribution. Each FQDN can support up to 32 IPv4 addresses and 32 IPv6 addresses. If a DNS server returns more than 32 addresses for an FQDN, the firewall uses the first 32 addresses in the packet.
Using the Dynamic IP (with session distribution) destination address type also allows you to translate multiple original destination IP addresses to multiple translated destination IP addresses. A many-to-many translation means, for example, that three original destination IP addresses and four translated destination IP addresses can result in 12 possible destination NAT translations using a single NAT rule.
- Create an address object using the FQDN of the ELB or server to which you want to translate the address.
- Create the destination NAT policy.
- Specify the original packet to use the publicly routed IP address of the service hosted behind the firewall.
- Configure the Translation Type for the translated packet as Dynamic IP (with session distribution).
- Enter the FQDN address object (that you created) as the Translated Address.
- Click OK.
- Commit your changes.