Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
5
Helpful
2
Replies

ASA PAT question

Go to solution
mrthejaswi
Level 1
Level 1

‎10-12-2015 11:57 AM - edited ‎03-11-2019 11:44 PM

Hello, 

We recently saw the message "PAT pool exhausted" from one of our firewalls that we manage. Our current set up is a typical PAT on the outside interface.

Current Config: 

object network PAT-obj

subnet 0.0.0.0 0.0.0.0

nat (any,OUTSIDE) dynamic interface

 

In the near future we expect the number of users behind the firewall to grow. As a work around this, I was thinking of implementing a PAT pool, assign a pool of say 3 contiguous ip addresses and using this pool for a PAT. 

Proposed: 

object network PAT-pool

range X.Y.Z.10 X.Y.Z.12

object network PAT-obj

subnet 0.0.0.0 0.0.0.0

nat (any,OUTSIDE) dynamic PAT-pool

 

The question I have is will this allow just 3 hosts to be NAT-ed/PAT-ed out or will it allow 3 * 65K connections outbound?

 

Thank you in advance, 

 

Regards,

TJ

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-12-2015 01:17 PM

Hi,

In case of pat-pool, by default it would utilize all the ports before moving on to next address in the pat-pool. Please refer the link below which explains different options available (round-robin, extended, flat) with pat-pool and the default behavior of pat-pool :

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1455942

 

Rate if it helps!

Regards,

Akshay Rastogi

View solution in original post

2 Replies 2

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-12-2015 01:17 PM

Hi,

In case of pat-pool, by default it would utilize all the ports before moving on to next address in the pat-pool. Please refer the link below which explains different options available (round-robin, extended, flat) with pat-pool and the default behavior of pat-pool :

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1455942

 

Rate if it helps!

Regards,

Akshay Rastogi

Go to solution
mrthejaswi
Level 1
Level 1
In response to Akshay Rastogi

‎10-15-2015 06:40 AM

Thanks Akshay, that is helpful. 

Had a followup to that, is there a way to include the outside interface as the first IP address used for the PAT.

 

Thanks again,

 

Regards,

TJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card