cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3009
Views
0
Helpful
6
Replies

ASA 9.1 round robin pat algorithm (default behavior)

yann.boulet
Beginner
Beginner

Dear all,

currently we have some limitations with our ISP load balancing, we are using only one public IP but there are a lot of TCP connections behind this PAT and a few SRC IP and DST IP because of public Cloud applications so I want to start using round robin PAT with a new public IP in the same IP range but I want to know more about how is working the round robin, because I want random IP usage. can you confirm it's really random : - 

first session using first IP and second session usign second IP  ? is it a default behavior or do I need to tell the ASA something in the config

I don't want the ASA to wait until all UDP/TCP source port 1-65536 are all in use to start using the second public IP 

I didn't find any clear documention

thanks for your help

6 Replies 6

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Yes , Using the "round-robin" keyword in the NAT statement with the PAT pool means the same thing.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1778544

Thanks and Regards,

Vibhor Amrodia

thanks for that but if I read your link : 

(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on

it means that I have to wait until all ports are used to use the next public and I want to use both IP each time there is a new connection : 

session 1 : PUBLIC IP 1 and TCP 1

session 2 : PUBLIC IP 2 and TCP 2

session 3 : PUBLIC IP 1 and TCP 3

session 4 : PUBLIC IP 2 and TCP 4

Hi,

Yes , that should be correct as this option would help you to use all the available port/addresses from the pool rather than using and exhausting the first address/ports.

Thanks and Regards,

Vibhor Amrodia

I think i miss something what would be the default behavior if I just configure the round robin with a new IP ? 

will it be a random usage of each IP or will it wait until first IP is full to use the second ?

thanks

any update ?

The explanation here is more clear https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-basics.html#ID-2090-0000046a.

Round-Robin is one of the PAT pool options. The default behavior (wihout round-robin), use all ports on the first IP before moving to the second IP. If you enable round-robin, next connection will use the next IP, so all IPs in the pool range(s) will be used before the first IP will be used again. In deed round-robin will give you exactly the behavior you are looking for.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers