topic Problem doing PAT to a range of public IPs in Network Security https://community.cisco.com/t5/network-security/problem-doing-pat-to-a-range-of-public-ips/m-p/4730630#M1095537 <P>We currently have a Firepower 4110 running 7.0.4 managed by an FMCv also running 7.0.4. We've been experiencing some asp-drops because of NAT exhaustion, so I tried to change the dynamic Auto NAT rule from a single IP address to a range of IP addresses as they unfortunately don't fall on a subnet boundary. As soon as the change is deployed, only one system could get out on each public IP address in the pool. The response to "sh xlate | in &lt;public_IP&gt;" was a single xlate entry for each public IP in the pool. I change it back to the single IP, and there are thousands of entries. I repeated this 3 times and verified all objects just to make sure nothing was fat fingered. I also cleared the connection and translation tables, which didn't help. I'm missing something pretty basic, I guess, but can anyone point me to the issue? The object for Public_NAT is #.#.#.6, while the object for Public_NAT_pool is a *range of #.#.#.6-#.#.#.9. For the below, the source and destination zones are inside and outside. Thanks for your help.</P><P>Existing rule (works):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABaker94985_0-1669850637556.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169584iB28A83F1A988AFCA/image-size/medium?v=v2&amp;px=400" role="button" title="ABaker94985_0-1669850637556.png" alt="ABaker94985_0-1669850637556.png" /></span></P><P>New rule (doesn't work):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABaker94985_1-1669850676403.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169585i209157C5FE31C0D0/image-size/medium?v=v2&amp;px=400" role="button" title="ABaker94985_1-1669850676403.png" alt="ABaker94985_1-1669850676403.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Nov 2022 23:35:46 GMT ABaker94985 2022-11-30T23:35:46Z Problem doing PAT to a range of public IPs https://community.cisco.com/t5/network-security/problem-doing-pat-to-a-range-of-public-ips/m-p/4730630#M1095537 <P>We currently have a Firepower 4110 running 7.0.4 managed by an FMCv also running 7.0.4. We've been experiencing some asp-drops because of NAT exhaustion, so I tried to change the dynamic Auto NAT rule from a single IP address to a range of IP addresses as they unfortunately don't fall on a subnet boundary. As soon as the change is deployed, only one system could get out on each public IP address in the pool. The response to "sh xlate | in &lt;public_IP&gt;" was a single xlate entry for each public IP in the pool. I change it back to the single IP, and there are thousands of entries. I repeated this 3 times and verified all objects just to make sure nothing was fat fingered. I also cleared the connection and translation tables, which didn't help. I'm missing something pretty basic, I guess, but can anyone point me to the issue? The object for Public_NAT is #.#.#.6, while the object for Public_NAT_pool is a *range of #.#.#.6-#.#.#.9. For the below, the source and destination zones are inside and outside. Thanks for your help.</P><P>Existing rule (works):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABaker94985_0-1669850637556.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169584iB28A83F1A988AFCA/image-size/medium?v=v2&amp;px=400" role="button" title="ABaker94985_0-1669850637556.png" alt="ABaker94985_0-1669850637556.png" /></span></P><P>New rule (doesn't work):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABaker94985_1-1669850676403.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169585i209157C5FE31C0D0/image-size/medium?v=v2&amp;px=400" role="button" title="ABaker94985_1-1669850676403.png" alt="ABaker94985_1-1669850676403.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Nov 2022 23:35:46 GMT https://community.cisco.com/t5/network-security/problem-doing-pat-to-a-range-of-public-ips/m-p/4730630#M1095537 ABaker94985 2022-11-30T23:35:46Z Re: Problem doing PAT to a range of public IPs https://community.cisco.com/t5/network-security/problem-doing-pat-to-a-range-of-public-ips/m-p/4730968#M1095552 <P>Use the PAT Pool tab instead. That will work.</P> <P>Reference Step 6 here:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html#task_5368FCFF9B8949628F3C3205C945E34D" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/network_address_translation_nat_for_firepower_threat_defense.html#task_5368FCFF9B8949628F3C3205C945E34D</A></P> Thu, 01 Dec 2022 14:08:55 GMT https://community.cisco.com/t5/network-security/problem-doing-pat-to-a-range-of-public-ips/m-p/4730968#M1095552 Marvin Rhoads 2022-12-01T14:08:55Z