topic Thanks Akshay, that is in Network Security

ASA PAT question

mrthejaswi — Tue, 12 Mar 2019 06:44:13 GMT

Hello,

We recently saw the message "PAT pool exhausted" from one of our firewalls that we manage. Our current set up is a typical PAT on the outside interface.

Current Config:

object network PAT-obj

subnet 0.0.0.0 0.0.0.0

nat (any,OUTSIDE) dynamic interface

In the near future we expect the number of users behind the firewall to grow. As a work around this, I was thinking of implementing a PAT pool, assign a pool of say 3 contiguous ip addresses and using this pool for a PAT.

Proposed:

object network PAT-pool

range X.Y.Z.10 X.Y.Z.12

object network PAT-obj

subnet 0.0.0.0 0.0.0.0

nat (any,OUTSIDE) dynamic PAT-pool

The question I have is will this allow just 3 hosts to be NAT-ed/PAT-ed out or will it allow 3 * 65K connections outbound?

Thank you in advance,

Regards,

Hi,In case of pat-pool, by

Akshay Rastogi — Mon, 12 Oct 2015 20:17:10 GMT

Hi,

In case of pat-pool, by default it would utilize all the ports before moving on to next address in the pat-pool. Please refer the link below which explains different options available (round-robin, extended, flat) with pat-pool and the default behavior of pat-pool :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1455942

Rate if it helps!

Regards,

Akshay Rastogi

Thanks Akshay, that is

mrthejaswi — Thu, 15 Oct 2015 13:40:07 GMT

Thanks Akshay, that is helpful.

Had a followup to that, is there a way to include the outside interface as the first IP address used for the PAT.

Thanks again,

Regards,