cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4004
Views
0
Helpful
6
Replies

ASA 9.1 round robin pat algorithm (default behavior)

yann.boulet
Level 1
Level 1

Dear all,

currently we have some limitations with our ISP load balancing, we are using only one public IP but there are a lot of TCP connections behind this PAT and a few SRC IP and DST IP because of public Cloud applications so I want to start using round robin PAT with a new public IP in the same IP range but I want to know more about how is working the round robin, because I want random IP usage. can you confirm it's really random : - 

first session using first IP and second session usign second IP  ? is it a default behavior or do I need to tell the ASA something in the config

I don't want the ASA to wait until all UDP/TCP source port 1-65536 are all in use to start using the second public IP 

I didn't find any clear documention

thanks for your help

6 Replies 6

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Yes , Using the "round-robin" keyword in the NAT statement with the PAT pool means the same thing.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1778544

Thanks and Regards,

Vibhor Amrodia

thanks for that but if I read your link : 

(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on

it means that I have to wait until all ports are used to use the next public and I want to use both IP each time there is a new connection : 

session 1 : PUBLIC IP 1 and TCP 1

session 2 : PUBLIC IP 2 and TCP 2

session 3 : PUBLIC IP 1 and TCP 3

session 4 : PUBLIC IP 2 and TCP 4

Hi,

Yes , that should be correct as this option would help you to use all the available port/addresses from the pool rather than using and exhausting the first address/ports.

Thanks and Regards,

Vibhor Amrodia

I think i miss something what would be the default behavior if I just configure the round robin with a new IP ? 

will it be a random usage of each IP or will it wait until first IP is full to use the second ?

thanks

any update ?

The explanation here is more clear https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-basics.html#ID-2090-0000046a.

Round-Robin is one of the PAT pool options. The default behavior (wihout round-robin), use all ports on the first IP before moving to the second IP. If you enable round-robin, next connection will use the next IP, so all IPs in the pool range(s) will be used before the first IP will be used again. In deed round-robin will give you exactly the behavior you are looking for.

Review Cisco Networking for a $25 gift card