https://community.cisco.com/t5/network-security/cisco-asa-pat-port-range-depending-on-source-ip-address/m-p/5278710#M1120488 <P>Is it possible to have defined outside source-port-range in PAT depending on the source-ip-address network?<BR />E.g.&nbsp;<BR />Outside-NAT, using outside-NAT address 18.66.27.86.<BR />TCP-sessions coming from 192.168.1.0/24 uses port-range 30000-39000 as source-ports on outside-if.<BR />TCP-sessions coming from 192.168.2.0/24 uses port-range 40000-49000 as source-ports on outside-if.<BR />But I do now know which source-ports the devices use, they might use larger port-range as source.<BR /><BR />192.168.1.1:21001 -&gt; 18.66.27.86:30000<BR />192.168.1.2:49011 -&gt; 18.66.27.86:30001<BR />-------------------------------------<BR />192.168.2.1:39109 -&gt; 18.66.27.86:40000<BR />192.168.2.2:32417 -&gt; 18.66.27.86:40001<BR /><BR /></P> Sun, 06 Apr 2025 11:35:56 GMT chris-doro 2025-04-06T11:35:56Z https://community.cisco.com/t5/network-security/cisco-asa-pat-port-range-depending-on-source-ip-address/m-p/5278710#M1120488 <P>Is it possible to have defined outside source-port-range in PAT depending on the source-ip-address network?<BR />E.g.&nbsp;<BR />Outside-NAT, using outside-NAT address 18.66.27.86.<BR />TCP-sessions coming from 192.168.1.0/24 uses port-range 30000-39000 as source-ports on outside-if.<BR />TCP-sessions coming from 192.168.2.0/24 uses port-range 40000-49000 as source-ports on outside-if.<BR />But I do now know which source-ports the devices use, they might use larger port-range as source.<BR /><BR />192.168.1.1:21001 -&gt; 18.66.27.86:30000<BR />192.168.1.2:49011 -&gt; 18.66.27.86:30001<BR />-------------------------------------<BR />192.168.2.1:39109 -&gt; 18.66.27.86:40000<BR />192.168.2.2:32417 -&gt; 18.66.27.86:40001<BR /><BR /></P> Sun, 06 Apr 2025 11:35:56 GMT https://community.cisco.com/t5/network-security/cisco-asa-pat-port-range-depending-on-source-ip-address/m-p/5278710#M1120488 chris-doro 2025-04-06T11:35:56Z https://community.cisco.com/t5/network-security/cisco-asa-pat-port-range-depending-on-source-ip-address/m-p/5278762#M1120489 <P>On Cisco ASA firewall it's not possible to directly define source-port ranges for PAT based on the source IP network using standard NAT configuration. The ASA's PAT implementation doesn't support granular port-range assignments to specific source subnets.</P><P>By default, the ASA uses these port ranges for translations</P><P>Block 1: 0–511</P><P>Block 2: 512–1023</P><P>Block 3: 1024–65535<BR />Ports are allocated within the same block as the original source port. This behavior can’t be overridden to enforce subnet-specific ranges like 30000–39000 for 192.168.1.0/24. <A href="https://netcraftsmen.com/dynamic-pat-cont-with-pools-flat-round-robin-and-extended-pat/" target="_self">Source Link website</A>&nbsp;</P><P>Using the flat keyword allows ports 1024–65535 for all translations, but this applies globally and can’t be restricted to specific subnets <A href="https://www.reddit.com/r/ccnp/comments/g6s1dy/cisco_asa_dynamic_pat_pat_pool_options_notes/" target="_self">Source link</A>&nbsp;</P><P>Possible work-around you can apply</P><LI-CODE lang="markup">! For 192.168.1.0/24 object network PAT-IP-1 host 18.66.27.86 nat (inside,outside) source dynamic 192.168.1.0/24 pat-pool PAT-IP-1 flat ! For 192.168.2.0/24 object network PAT-IP-2 host 18.66.27.87 # Second external IP nat (inside,outside) source dynamic 192.168.2.0/24 pat-pool PAT-IP-2 flat </LI-CODE><P>Option 2 Workaround</P><P>Enable extended PAT to track destination IP/port, increasing concurrent translations</P><LI-CODE lang="markup">nat (inside,outside) source dynamic 192.168.1.0/24 pat-pool PAT-IP-1 extended nat (inside,outside) source dynamic 192.168.2.0/24 pat-pool PAT-IP-1 extended </LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Sun, 06 Apr 2025 20:35:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-pat-port-range-depending-on-source-ip-address/m-p/5278762#M1120489 Sheraz.Salim 2025-04-06T20:35:50Z