topic Re: 8.3+ NAT Configuration questions in Network Security

8.3+ NAT Configuration questions

Mike Bowers — Tue, 12 Mar 2019 01:21:47 GMT

object network OUTSIDE_NAT_POOL
range 209.165.200.235 209.165.200.254

object network OUTSIDE_NAT_POOL2
range 209.165.201.10 209.165.201.29

object network OUTSIDE_PAT
host 209.165.201.30

object-group network OUTSIDE_NAT_GROUP
network object object OUTSIDE_NAT_POOL
network object object OUTSIDE_NAT_POOL2
network object object OUTSIDE_PAT

object network INSIDE_SEGMENT
nat (any,outside) dynamic OUTSIDE_NAT_GROUP interface

Hello!

I've been practicing NAT configurations with 8.3+ and I had a question about the above configuration.

The way I thought , the above configuration should use Port Address Translation on the first pool, and then PAT on all of the IPs in the second pool, and then on the OUTSIDE_PAT address, and then the interface. This is an example from the official text book, by the way. However, by the sounds of it, when you use range and establish a range of IP's, you can't PAT the range, and it always issues them statically until the range is used up?

The book explains the above configuration like this (word for word):

===============================================================

1. Hosts in the INSIDE-SEGMENT object will first use the NAT pool addresses of 209.165.200.235-254. These will be assigned in a seemingly random manner, based on an internal ASA algorithm, until all are in use.

2. You want hosts in the INSIDE-SEGMENT object to use addresses in a new range, 209.165.201.10-29, assigned in the same manner.

3. If both these pools are fully utilized, you want further connections from INSIDE-SEGMENT hosts to use PAT, utilizing the address 209.165.201.30.

4. In the unlikely scenario that the previous PAT address has all ports utilized, you want remaining connections from INSIDE-SEGMENT hosts to use PAT, utilizing the ASA's interface address.

===============================================================

So , why is it PATing the PAT address, but not the range addresses with the "dynamic" established in the nat command? How would you configure it if you wanted to use PAT on a range of addresses or is that possible?

Thank you for any clarity on this!

Re: 8.3+ NAT Configuration questions

Jouni Forss — Sat, 30 Mar 2013 23:33:20 GMT

Hi,

I think to be able to use a "range" of addresses as single PAT IP addresses each for translation you need to use the parameter "pat-pool"

object network

subnet

nat (source,destination) dynamic pat-pool

This is something I have had no need to use in the environments I manage so its not that common to me

For other 8.3+ NAT configurations and operation, check the documentation I made on the Document section

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Re: 8.3+ NAT Configuration questions

Jouni Forss — Sat, 30 Mar 2013 23:37:59 GMT

Also to clarify your other issues above.

To me the above quoted text just states

Users will get their NAT IP address from the first Pool until its exhausted
Users will get their NAT IP address from the second Pool if first Pool is exhausted
When both of the Pools are exhausted the single PAT IP address is shared by all of the hosts
If the PAT IP addresses ports run out then the interface IP address is used as a PAT IP address

So it first uses the NAT Pools 1 IP per users then falls back to the PAT IP until its exhausted and finally falls back to the "interface" IP address as the last PAT IP address

- Jouni

8.3+ NAT Configuration questions

Mike Bowers — Sat, 30 Mar 2013 23:40:16 GMT

Thanks alot for that. I've read through this FIREWALL official guide already and no where is there a pat-pool parameter mentioned. I just consoled in and seen it there with the question mark. Thanks a lot for the info and that 8.3+ NAT document looks really helpful!

Re: 8.3+ NAT Configuration questions

Jouni Forss — Sat, 30 Mar 2013 23:42:30 GMT

And finally.

The "pat-pool" configuration parameter was made available in 8.4(1.11) or more commonly 8.4(2)

8.4(2) Release Notes

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp535067

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.4(2), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).

- Jouni