10-26-2011 01:30 AM - edited 03-11-2019 02:42 PM
Hi,
I had thought I had succesfully implemented dynamic PAT, since it isn't that difficult, but I'm having issues.
This is my config:
object network obj_sources-natpool
range 1.1.1.248 1.1.1.254
object network obj_source
subnet 2.0.0.0 255.224.0.0
nat (inside,outside) source dynamic obj_source obj_sources-natpool
What I expected was to see that I was doing PAT:
I opened an ssh session to 10 servers and tried to telnet on port 80 of some server.
What I see is that most of the servers get connection, and some of them do not.
After investigating, I see the natpool is exhausted. My ASA does not do PAT, it just does NAT.
# sh xlate
13 in use, 131 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
<cut out the identity nat>
NAT from inside:2.0.48.12 to outside:1.1.1.250 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.48.15 to outside:1.1.1.251 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.32.21 to outside:1.1.1.248 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.32.22 to outside:1.1.1.253 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.32.23 to outside:1.1.1.249 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.0.20 to outside:1.1.1.252 flags i idle 0:10:50 timeout 3:00:00
NAT from inside:2.0.0.21 to outside:1.1.1.254 flags i idle 0:10:50 timeout 3:00:00
I had expected to see something like:
TCP PAT from inside:2.0.48.12/3347 to outside:1.1.1.248/1025 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.48.15/4837 to outside:1.1.1.248/1026 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.32.21/2384 to outside:1.1.1.248/1027 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.32.22/14372 to outside:1.1.1.248/1028 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.32.23/13294 to outside:1.1.1.248/1029 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.0.20/1034 to outside:1.1.1.248/1030 flags ri idle 0:10:50 timeout 3:00:00
TCP PAT from inside:2.0.0.21/1087 to outside:1.1.1.248/1031 flags ri idle 0:10:50 timeout 3:00:00
What am I doing wrong???
I've used this page for configuration instructions:
Solved! Go to Solution.
10-26-2011 02:06 AM
Hi Tom,
What you are trying is not dynamic pat but dynamic nat, it nwould be a one-to-one nat on the ASA. It would not do port address translation for it. If you are looking for dynamic pat, then you might need to implement this:
object-group network obj_sources-natpool
network-object host 1.1.1.248
network-object host 1.1.1.249
network-object host 1.1.1.250
network-object host 1.1.1.251
network-object host 1.1.1.252
network-object host 1.1.1.253
network-object host 1.1.1.254
object network obj_source
subnet 2.0.0.0 255.224.0.0
nat (inside,outside) source dynamic obj_source obj_sources-natpool
Now it shoudl work as expected.
Hope that helps.
Thanks,
Varun
10-26-2011 02:06 AM
Hi Tom,
What you are trying is not dynamic pat but dynamic nat, it nwould be a one-to-one nat on the ASA. It would not do port address translation for it. If you are looking for dynamic pat, then you might need to implement this:
object-group network obj_sources-natpool
network-object host 1.1.1.248
network-object host 1.1.1.249
network-object host 1.1.1.250
network-object host 1.1.1.251
network-object host 1.1.1.252
network-object host 1.1.1.253
network-object host 1.1.1.254
object network obj_source
subnet 2.0.0.0 255.224.0.0
nat (inside,outside) source dynamic obj_source obj_sources-natpool
Now it shoudl work as expected.
Hope that helps.
Thanks,
Varun
10-26-2011 02:56 AM
Thank you very much Varun!
That was the key.
It seems you cannot use a range to specify the natpool...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: