Solved: Advantage of NAT IP Pool for PAT

Delmiro Campelo · ‎04-24-2013

Hi support community,

would there be any benefits from using a small pool of public IPs (outside global addresses) to perform PAT instead of using a single IP address that is nomally associated with outside interface? We have enough public IPs where I could use 3 or 5 for PAT outside pool, and I was wondering if it would be beneficial or a waste.

Thank you for any information that you can provide on this.

Delmiro

Jouni Forss · ‎04-24-2013

Hi,

Do you mean using a PAT Pool of a few addresses instead of PAT using the "outside" interface of the ASA?

I would imagine if you were to use a PAT Pool you would considerably increase the amount of hosts/connections that the ASA could support going from LAN to WAN.

I would suggest first monitoring the current usage of the interface PAT to determine if there is any need to configure a PAT Pool.

If you are talking about PAT Pool then you must be using newer software

You can probably use the

show nat pool

Command to determine the usage of the current interface PAT ports.

Usually the single PAT address is just fine but if you have a large network with a lot of users you might benefit from the change. As I said, you should first see if your current PAT port usage is high.

If you had reached the PAT port limit then you would be seeing log messages of failed translations.

- Jouni

View solution in original post

Rudy Sanjoko · ‎04-24-2013

Typically, one patted public ip address is enough for your internal hosts, the other public ip addresses normally are being used as server ip addresses that reside in your dmz so that it can be accessed from internet.

Jouni Forss · ‎04-24-2013

Hi,

Do you mean using a PAT Pool of a few addresses instead of PAT using the "outside" interface of the ASA?

I would imagine if you were to use a PAT Pool you would considerably increase the amount of hosts/connections that the ASA could support going from LAN to WAN.

I would suggest first monitoring the current usage of the interface PAT to determine if there is any need to configure a PAT Pool.

If you are talking about PAT Pool then you must be using newer software

You can probably use the

show nat pool

Command to determine the usage of the current interface PAT ports.

Usually the single PAT address is just fine but if you have a large network with a lot of users you might benefit from the change. As I said, you should first see if your current PAT port usage is high.

If you had reached the PAT port limit then you would be seeing log messages of failed translations.

- Jouni

Delmiro Campelo · ‎04-24-2013

Thank you Jouni, you are always amazing with the level of detail and help you provide, no wonder you are cisco VIP.

Let me ask you one last question regarding the show nat pool command, does this means that out of 64511 ports I'm using 1401 ? I just wanted to double check. Thanks again

Jouni Forss · ‎04-24-2013

Hi,

It would seem so. Notice that there is separate port ranges for TCP and UDP naturally. Though also naturally most connections formed to the Internet are TCP connections so those will be the most consumed.

Also the ports used for PAT are divided in the 3 different ranges as you can see.

if you want to get a cleaner output just regarding your "outside" interface then you can use the command

show nat pool | inc outside

That should clear out the other interfaces from the command output

Here is also a link to one document on CSC that handles this subject

https://supportforums.cisco.com/docs/DOC-9233

- Jouni

Delmiro Campelo · ‎04-24-2013

Excellent! I understand it now, great reference article.