02-13-2024 11:54 PM
hi,
i have 2 private IP that would need to configure to a NAT pool of /29 public IP.
can someone confirm if below config is correct?
do i need to add the "flat" keyword to "PAT" using 1024-65535 dynamic ephemeral ports or this is automatic?
will both private IP range "exhaust" all PAT ports on the first IP 200.1.1.1 before going to the next IP 200.1.1.2 and so on?
object network OBJ-PUBLIC-IP-POOL
range 200.1.1.1 200.1.1.6
object network OBJ-10.0.0.16-29
subnet 10.0.0.16 255.255.255.248
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL
object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL
02-14-2024 12:22 AM
@johnlloyd_13 I assume you require Dynamic PAT, in which case you are missing "pat-pool" - this will translate the IP address and ports.
object network LAN
nat (inside,outside) dynamic pat-pool IPv4_POOL
In your example you are using Dynamic NAT which translates only the IP address, not the ports.
02-14-2024 04:42 AM
hi rob,
if i use the "pat-pool" keyword, would it "exhaust" all dynamic ports (1024 - 65535) on the first public IP on the NAT pool range then use/exhaust the next public IP and so on?
do i need to use the "flat" keyword?
02-14-2024 05:02 AM
@johnlloyd_13 by default all ports for a PAT address will be allocated before the next PAT IP address is used and so on. You can append the keyword "round-robin" to the command syntax, this assigns an address/port from each PAT IP address in the pool before returning to use the first address again, and then the second address, and so on.
No I don't believe you need to use the keyword "flat", you can use "include-reverse" which allocates ports 1-65535.
02-14-2024 05:19 AM
hi rob,
one last thing, what if i need to expand/add more public IP in the NAT pool range for the same 10.x.x.x private IP?
and if it's also not in a continuous range? sample scenario below:
object network OBJ-PUBLIC-IP-POOL
range 200.1.1.1 200.1.1.6 <<<< HOW CAN I ADD/SQUEEZE "200.1.1.10 OR 200.1.1.10 - 200.1.1.20
02-14-2024 05:36 AM
@johnlloyd_13 I does not look like you can add another pat-pool to the same object (at least on 9.18), you can failback to an interface though.
ASA(config-network-object)# nat (vlan5,outside) dynamic pat-pool POOL
network-object mode commands/options:
block-allocation Enable port block allocation
extended Extend PAT uniqueness to per destination instead of per interface
flat Translate TCP and UDP ports into flat range 1024-65535
include-reserve Translate TCP and UDP ports into flat range 1-65535
interface Use interface address as mapped IP
round-robin Specify to use PAT ip addresses in round robin instead one by one
<cr>
You could define another object which uses another pat-pool, that uses the different range.
02-14-2024 05:42 AM
hi rob,
can you confirm if it's possible to configure as below?
object network OBJ-PUBLIC-IP-POOL-1
range 200.1.1.1 200.1.1.6
object network OBJ-PUBLIC-IP-POOL-2
range 200.1.1.11 200.1.1.20
object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-1
object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic 200.1.1.10
object network OBJ-10.2.0.0-16
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-2
02-14-2024 05:51 AM
@johnlloyd_13 I am not sure on your example, I was thinking splitting the larger subnet in half and using different pat-pools.
object network OBJ-10.2.0.0-17
subnet 10.2.0.0 255.255.128.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-1
object network OBJ-10.2.0.0-17
subnet 10.2.128.0 255.255.128.0
nat (inside,outside) source dynamic OBJ-PUBLIC-IP-POOL-2
02-14-2024 06:08 AM - edited 02-14-2024 07:09 AM
First you can not use two different NAT for same source interface (and same subnet)
The asa not check first one and if it exhausts it check second one
No the asa always check the first NAT
To solve issue of you want to add more public IP to object you can use object-group network have two object one for each pool abd use this object-network in only ONE NAT.
02-14-2024 06:50 AM
@MHM Cisco World The statement "First you can not use two different NAT for same source interface'" is not true for dynamic NAT, it is true for static though and even then it is limited to using the same translated IP and then even further using the same translated port number. In this post we are talking about dynamic NAT which makes this irrelevant.
02-14-2024 06:53 AM
What make ASA check second NAT if fisrt one is exhausting? Can you try it in lab or share doc.
Thanks alot
MHM
02-14-2024 07:05 AM
you dont need doc for this one...it is the source IP. first NAT is defined for source 10.0.0.0/16 while the second NAT is defined for 10.2.0.0/16.
02-14-2024 07:08 AM
Yes friend but @johnlloyd_13 use same subnet
subnet 10.2.0.0 255.255.0.0
That why I reply he can not do that.
Thanks
MHM
02-14-2024 07:19 AM
Maybe I am not following what you are trying to point out. Looking at the original post I see two different subnets, 10.0.0.16/29 and 10.2.0.0/16. Using these two as source to NAT to same NAT/PAT pool is possible. The only thing that was wrong in his post was the syntax of the NAT statement (depending on how the NAT statements are to be placed)
02-14-2024 07:05 AM - edited 02-14-2024 07:05 AM
Split subnet can be solution for use two NAT but same subnet and same interface in two NAT using two pool as @johnlloyd_13 shared I DONT think it work.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide