Dynamic IP Address Support for Destination NAT

Configure destination NAT to a host or a server that has a dynamic IP address and uses an FQDN, which is helpful in cloud deployments that use dynamic IP addressing.
Destination NAT is enhanced so that you can translate the original destination address to a destination host or server that has a dynamic IP address that uses an FQDN. It is especially helpful to Configure Destination NAT Using Dynamic IP Addresses in cloud deployments, which typically use dynamic IP addressing. When the host or server in the cloud has new (dynamic) IP addresses, you don’t have to manually update the NAT policy rule by continuously querying the DNS server, nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping. The dynamic IP translation type for destination NAT is in addition to the static, one-to-one translation that continues to be supported in this and earlier releases.
If an FQDN in the post-NAT (translated) destination address resolves to more than one IP address, the firewall automatically distributes translated sessions among those addresses (based on a round-robin algorithm) to provide improved session distribution. Each FQDN can support up to 32 IPv4 addresses and 32 IPv6 addresses. If a DNS server returns more than 32 addresses for an FQDN, the firewall uses the first 32 addresses in the packet.
Using the Dynamic IP (with session distribution) destination address type allows you to translate multiple pre-NAT destination IP addresses (M) to multiple post-NAT destination IP addresses (N). A many-to-many translation means there can be M x N possible destination NAT translations using a single NAT rule.
You can configure the frequency at which the firewall refreshes an FQDN (Use Case 1: Firewall Requires DNS ResolutionforManagement Purposes ).
  1. Create an address object using the FQDN of the ELB or server to which you want to translate the address.
    dest_nat_fqdn.png
  2. Create the destination NAT policy.
    1. Specify the original packet to use the publicly routed IP address of the service hosted behind the firewall.
    2. Configure the Translation Type for the translated packet as Dynamic IP (with session distribution).
    3. Enter the FQDN address object (that you created) as the Translated Address.
      dest_nat_dynamic_ip.png
    4. Click OK.
  3. Commit your changes.

Related Documentation