10-12-2015 11:57 AM - edited 03-11-2019 11:44 PM
Hello,
We recently saw the message "PAT pool exhausted" from one of our firewalls that we manage. Our current set up is a typical PAT on the outside interface.
Current Config:
object network PAT-obj
subnet 0.0.0.0 0.0.0.0
nat (any,OUTSIDE) dynamic interface
In the near future we expect the number of users behind the firewall to grow. As a work around this, I was thinking of implementing a PAT pool, assign a pool of say 3 contiguous ip addresses and using this pool for a PAT.
Proposed:
object network PAT-pool
range X.Y.Z.10 X.Y.Z.12
object network PAT-obj
subnet 0.0.0.0 0.0.0.0
nat (any,OUTSIDE) dynamic PAT-pool
The question I have is will this allow just 3 hosts to be NAT-ed/PAT-ed out or will it allow 3 * 65K connections outbound?
Thank you in advance,
Regards,
TJ
Solved! Go to Solution.
10-12-2015 01:17 PM
Hi,
In case of pat-pool, by default it would utilize all the ports before moving on to next address in the pat-pool. Please refer the link below which explains different options available (round-robin, extended, flat) with pat-pool and the default behavior of pat-pool :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1455942
Rate if it helps!
Regards,
Akshay Rastogi
10-12-2015 01:17 PM
Hi,
In case of pat-pool, by default it would utilize all the ports before moving on to next address in the pat-pool. Please refer the link below which explains different options available (round-robin, extended, flat) with pat-pool and the default behavior of pat-pool :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1455942
Rate if it helps!
Regards,
Akshay Rastogi
10-15-2015 06:40 AM
Thanks Akshay, that is helpful.
Had a followup to that, is there a way to include the outside interface as the first IP address used for the PAT.
Thanks again,
Regards,
TJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide