Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
5
Helpful
1
Replies

2 PAT IP configured on ASA 7.2(5)4

jd171g_cisco
Level 1
Level 1

‎09-17-2013 03:30 AM - edited ‎03-11-2019 07:39 PM

How do Cisco ASA firewall with version 7.2(5)4 behave if we are using two PAT IPs for wide source network.

nat(inside) 1 10.0.0.0 255.0.0.0

global(outside) 1 203.178.112.1

global(outside) 1 203.178.112.2

We can see from firewall logs that one source IP from 10.0.0.0/8 network uses both PAT IP going to same destination but different sessions.

Although user only access internet link once.

Should the firewall utilized first the 203.178.112.1 (port from 1025-655535) before using 203.178.112.2?

Or firewall will use it randomly.

untitled.JPG

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎09-17-2013 04:10 AM

Hi,

Do notice that when a user loads a web page it doesnt form only one TCP connection. Not all of the content are loaded from a single server so multiple TCP connections will be formed to load the complete page.

With regards to the Dynamic PAT,

It was my understanding originally that the ASA would use up the ports on the first PAT IP address configured and then the second PAT IP address. Judging by the output you have shared it would seem that the ASA does Round Robin with the 2 PAT IP addresses.

In the new ASA software levels configuring Dynamic PAT is a lot clearer as you are actually given clear options to choose how the Dynamic PAT or PAT pool behaves.

Here is a quote from a older Cisco ASA document about Dynamic NAT and PAT which to my eye seems that the first PAT IP address should be used first.

You can enter multiple global commands for one interface using the same NAT ID; the security appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and then uses the PAT global commands in order. You might want to enter both a dynamic NAT global command and a PAT global command  if you need to use dynamic NAT for a particular application, but want  to have a backup PAT statement in case all the dynamic NAT addresses are  depleted. Similarly, you might enter two PAT statements if you need  more than the approximately 64,000 PAT sessions that a single PAT mapped  statement supports

I marked the section in RED which seems to me to indicate that the Dynamic PAT address should be used in order.

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card