To Configure a New DIP Address
PoolAt the top of the Interface DIP configuration page, you can see for which interface you are configuring a new DIP pool. For example, you see:
Interface: ethernet3/2 (IP/Netmask: 209.122.17.1/24)
Important: Be sure
to exclude the following IP addresses from a DIP pool:
– The WebUI management IP address
– The interface and gateway IP addresses
– Any Virtual IP (VIP) and Mapped IP (MIP) addresses
To Configure a New DIP Address
PoolOn the Interface (DIP) List page, click New, and then enter the necessary information:
ID: Enter an identification number for the DIP pool. The number can be from 4 to 255.
Note: You can use the ID number that is already showing in the field, which is the next available number sequentially, or enter a different number.
IP Address Range: Enter the starting and ending IP address of the range.
Port Translation: This option is enabled by default. Enable Port Translation if you want to allow multiple hosts to share the same IP address. By enabling Port Translation, up to ~64,500 hosts can share a single IP address. Assigned port numbers distinguish which session belongs to which host.
IP Shift: Defines a one-to-one mapping from an original source IP address to a translated source IP address for a range of IP addresses starting from ip_addr3. Such a mapping ensures that the device always translates a particular source IP address from within that range to the same translated address within a DIP pool.
From: Enter the original source IP address to translate.
To: Enter an IP address range to which the original source IP address can be translated.
In the same subnet as the interface IP or its secondary IPs: Select this option if you want the DIP pool to be in the same subnet as the IP address of the primary or secondary interface.
Incoming NAT: Select this option to direct the device to perform NAT on sessions initiated by incoming traffic, such as SIP or H.323.
In the same subnet as the extended IP: Select this option if you want the DIP pool in a different subnet from the one containing the interface IP address.
Extended IP/Netmask: This option allows you to graft a second IP address and an accompanying DIP pool onto an interface that is in a different subnet. You can then enable NAT on a per-policy basis and specify the DIP pool built on the extended interface for the translation. Enter the IP address and netmask for the second IP address and accompanying DIP pool.
Click OK to save your changes.
When a host initiates several sessions that match an access policy with network address translation (NAT) enabled and is assigned an address from a dynamic IP (DIP) pool, the security device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.
For example, it is important to have the same IP address for multiple sessions when using the AOL Instant Messaging (AIM) client. You create one session when you log in, and another for each chat. For the AIM server to verify that a new chat belongs to an authenticated user, it must match the source IP address of the login session with that of the chat session. If they are different—possibly because they were randomly assigned from a DIP pool during the NAT process—the AIM server rejects the chat session. To ensure that the device assigns the same IP address from a DIP pool to a host for multiple concurrent sessions, you can enable the “sticky” DIP address feature by entering the CLI command set dip sticky. Currently, you cannot enable this feature through the WebUI.