Re: Cisco ASA NAT Pool/PAT

johnlloyd_13 · ‎02-13-2024

hi,

i have 2 private IP that would need to configure to a NAT pool of /29 public IP.

can someone confirm if below config is correct?

do i need to add the "flat" keyword to "PAT" using 1024-65535 dynamic ephemeral ports or this is automatic?

will both private IP range "exhaust" all PAT ports on the first IP 200.1.1.1 before going to the next IP 200.1.1.2 and so on?

object network OBJ-PUBLIC-IP-POOL
range 200.1.1.1 200.1.1.6

object network OBJ-10.0.0.16-29
subnet 10.0.0.16 255.255.255.248
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL

object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL

Rob Ingram · ‎02-14-2024

@johnlloyd_13 I assume you require Dynamic PAT, in which case you are missing "pat-pool" - this will translate the IP address and ports.

object network LAN 
 nat (inside,outside) dynamic pat-pool IPv4_POOL

In your example you are using Dynamic NAT which translates only the IP address, not the ports.

johnlloyd_13 · ‎02-14-2024

hi rob,

if i use the "pat-pool" keyword, would it "exhaust" all dynamic ports (1024 - 65535) on the first public IP on the NAT pool range then use/exhaust the next public IP and so on?

do i need to use the "flat" keyword?

Rob Ingram · ‎02-14-2024

@johnlloyd_13 by default all ports for a PAT address will be allocated before the next PAT IP address is used and so on. You can append the keyword "round-robin" to the command syntax, this assigns an address/port from each PAT IP address in the pool before returning to use the first address again, and then the second address, and so on.

No I don't believe you need to use the keyword "flat", you can use "include-reverse" which allocates ports 1-65535.

johnlloyd_13 · ‎02-14-2024

hi rob,

one last thing, what if i need to expand/add more public IP in the NAT pool range for the same 10.x.x.x private IP?

and if it's also not in a continuous range? sample scenario below:

object network OBJ-PUBLIC-IP-POOL
range 200.1.1.1 200.1.1.6 <<<< HOW CAN I ADD/SQUEEZE "200.1.1.10 OR 200.1.1.10 - 200.1.1.20

Rob Ingram · ‎02-14-2024

@johnlloyd_13 I does not look like you can add another pat-pool to the same object (at least on 9.18), you can failback to an interface though.

ASA(config-network-object)# nat (vlan5,outside) dynamic pat-pool POOL

network-object mode commands/options:
block-allocation Enable port block allocation
extended Extend PAT uniqueness to per destination instead of per interface
flat Translate TCP and UDP ports into flat range 1024-65535
include-reserve Translate TCP and UDP ports into flat range 1-65535
interface Use interface address as mapped IP
round-robin Specify to use PAT ip addresses in round robin instead one by one
<cr>

You could define another object which uses another pat-pool, that uses the different range.

johnlloyd_13 · ‎02-14-2024

hi rob,

can you confirm if it's possible to configure as below?

object network OBJ-PUBLIC-IP-POOL-1
range 200.1.1.1 200.1.1.6

object network OBJ-PUBLIC-IP-POOL-2
range 200.1.1.11 200.1.1.20

object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-1

object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic 200.1.1.10

object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-2

Rob Ingram · ‎02-14-2024

@johnlloyd_13 I am not sure on your example, I was thinking splitting the larger subnet in half and using different pat-pools.

object network OBJ-10.2.0.0-17
subnet 10.2.0.0 255.255.128.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-1

object network OBJ-10.2.0.0-17
subnet 10.2.128.0 255.255.128.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-2

MHM Cisco World · ‎02-14-2024

First you can not use two different NAT for same source interface (and same subnet)

The asa not check first one and if it exhausts it check second one

No the asa always check the first NAT

To solve issue of you want to add more public IP to object you can use object-group network have two object one for each pool abd use this object-network in only ONE NAT.

Marius Gunnerud · ‎02-14-2024

@MHM Cisco World The statement "First you can not use two different NAT for same source interface'" is not true for dynamic NAT, it is true for static though and even then it is limited to using the same translated IP and then even further using the same translated port number. In this post we are talking about dynamic NAT which makes this irrelevant.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎02-14-2024

What make ASA check second NAT if fisrt one is exhausting? Can you try it in lab or share doc.

Thanks alot

MHM

Marius Gunnerud · ‎02-14-2024

you dont need doc for this one...it is the source IP. first NAT is defined for source 10.0.0.0/16 while the second NAT is defined for 10.2.0.0/16.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎02-14-2024

Yes friend but @johnlloyd_13 use same subnet

subnet 10.2.0.0 255.255.0.0

That why I reply he can not do that.

Thanks

MHM

Marius Gunnerud · ‎02-14-2024

Maybe I am not following what you are trying to point out. Looking at the original post I see two different subnets, 10.0.0.16/29 and 10.2.0.0/16. Using these two as source to NAT to same NAT/PAT pool is possible. The only thing that was wrong in his post was the syntax of the NAT statement (depending on how the NAT statements are to be placed)

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎02-14-2024

Split subnet can be solution for use two NAT but same subnet and same interface in two NAT using two pool as @johnlloyd_13 shared I DONT think it work.

MHM