Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
3
Replies

Can i config same inside ip translate to one same outside ip when using multiple PAT global ip address

fly
Level 2
Level 2

‎03-13-2012 09:20 PM - edited ‎03-11-2019 03:41 PM

global (outside) 1 103.191.12.3-203.192.13.34

global (outside) 1 103.191.12.1

global (outside) 1 103.191.12.2

nat (inside) 1 10.20.216.0 255.255.255.0

nat (inside) 1 10.20.217.0 255.255.255.0

nat (inside) 1 10.20.176.0 255.255.252.0

nat (inside) 1 10.20.180.0 255.255.252.0

nat (inside) 1 10.20.220.0 255.255.252.0

from config, inside one same ip may translate to different outside global ip address.  that has some problem when visit some web site using src dst loadbalance .

i know i can split this ip address to diffrent group, one group using one outside global ip address. but this is not perfect,  when running out of one outside global address,  we must re-split inside ip address.

is there any perfect way to config in this situation?

thank you!

Labels:
0 Helpful
3 Replies 3

fly
Level 2
Level 2

‎03-14-2012 06:08 AM

no one answer me?

0 Helpful

johuggin
Level 1
Level 1
In response to fly

‎03-14-2012 06:33 AM

Hello,

I'm not exactly sure what the question is. Are you asking how you can minimize the differences in the outside IP address?

If that's the case, you might remember that the following statement doesn't use PAT. It will translate one host per outside IP listed (one host to .3, another to .4, etc.. until it reaches .34. ).

"global (outside) 1 103.191.12.3-203.192.13.34"

If you separate this statement into the following, the ASA will translate to one single address until that is full (using PAT) and will then move on to the next one:

"

global (outside) 1 103.191.12.3

global (outside) 1 103.191.12.4

. . .

"

Hope this helps!

Joey

0 Helpful

fly
Level 2
Level 2
In response to johuggin

‎03-14-2012 06:55 AM

Hi joey

     thank you!

     i config multple pat address in same group (group number is 1)

    

global (outside) 1 103.191.12.3-203.192.13.34

global (outside) 1 103.191.12.1

global (outside) 1 103.191.12.2

 

    global (outside) 1 has two pat address 103.191.12.1 and 103.191.12.2.

    

     when one inside computer A visit internet,  this computer A has internal
              ip adress 10.20.216.235.

    when there many users in inside network, PAT kick in, when comupter A visit
    a bank web site on internet (https), i found computer may establieshed
    6 connections , this 6 connections using PAT,
     i found ASA translate 10.20.216.235 to different PAT global address.

    for example:

   

ASA# show conn | i 10.20.216.235 

TCP outside 123.127.121.2:443 inside 10.20.216.235:1835, idle 0:00:11, bytes 6792, flags UIO

TCP outside 123.127.121.2:443 inside 10.20.216.235:1831, idle 0:00:11, bytes 2141, flags UIO


//123.127.121.2 is bank address

ASA# show xlate | i 10.20.216.235
PAT Global 103.191.12.1(36566) Local 10.20.216.235(1835)
PAT Global 103.191.12.2(65108) Local 10.20.216.235(1831)

from above you can see,when inside users has many connection(there are 2000 computers)

to internet ,PAT kick in,10.210.216.235 computer A established two connections to bank
web server. but ASA tranlate 10.20.216.235 to two different PAT Global address for

this two connection come from same inside ip address.
this is normal for PAT.   But bring a problem, because bank web site using src
dst load balance ,this two connections load balance to two different web server,
because src ip address is different,i can't modify bank web site. 
how can i config ASA translate 10.20.216.235 to same PAT global address, not round robin. 
thank you!
Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card