currently we have some limitations with our ISP load balancing, we are using only one public IP but there are a lot of TCP connections behind this PAT and a few SRC IP and DST IP because of public Cloud applications so I want to start using round robin PAT with a new public IP in the same IP range but I want to know more about how is working the round robin, because I want random IP usage. can you confirm it's really random : -
first session using first IP and second session usign second IP ? is it a default behavior or do I need to tell the ASA something in the config
I don't want the ASA to wait until all UDP/TCP source port 1-65536 are all in use to start using the second public IP
I didn't find any clear documention
thanks for your help
Yes , Using the "round-robin" keyword in the NAT statement with the PAT pool means the same thing.
Thanks and Regards,
thanks for that but if I read your link :
(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on
it means that I have to wait until all ports are used to use the next public and I want to use both IP each time there is a new connection :
session 1 : PUBLIC IP 1 and TCP 1
session 2 : PUBLIC IP 2 and TCP 2
session 3 : PUBLIC IP 1 and TCP 3
session 4 : PUBLIC IP 2 and TCP 4
Yes , that should be correct as this option would help you to use all the available port/addresses from the pool rather than using and exhausting the first address/ports.
Thanks and Regards,
I think i miss something what would be the default behavior if I just configure the round robin with a new IP ?
will it be a random usage of each IP or will it wait until first IP is full to use the second ?
The explanation here is more clear https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-basics.html#ID-2090-0000046a.
Round-Robin is one of the PAT pool options. The default behavior (wihout round-robin), use all ports on the first IP before moving to the second IP. If you enable round-robin, next connection will use the next IP, so all IPs in the pool range(s) will be used before the first IP will be used again. In deed round-robin will give you exactly the behavior you are looking for.