Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
1
Replies

Cisco ASA PAT port range depending on source-ip-address?

chris-doro
Level 1
Level 1

‎04-06-2025 04:18 AM - edited ‎04-06-2025 04:35 AM

Is it possible to have defined outside source-port-range in PAT depending on the source-ip-address network?
E.g. 
Outside-NAT, using outside-NAT address 18.66.27.86.
TCP-sessions coming from 192.168.1.0/24 uses port-range 30000-39000 as source-ports on outside-if.
TCP-sessions coming from 192.168.2.0/24 uses port-range 40000-49000 as source-ports on outside-if.
But I do now know which source-ports the devices use, they might use larger port-range as source.

192.168.1.1:21001 -> 18.66.27.86:30000
192.168.1.2:49011 -> 18.66.27.86:30001
-------------------------------------
192.168.2.1:39109 -> 18.66.27.86:40000
192.168.2.2:32417 -> 18.66.27.86:40001

0 Helpful
1 Reply 1

Sheraz.Salim
VIP Alumni
VIP Alumni

‎04-06-2025 01:35 PM

On Cisco ASA firewall it's not possible to directly define source-port ranges for PAT based on the source IP network using standard NAT configuration. The ASA's PAT implementation doesn't support granular port-range assignments to specific source subnets.

By default, the ASA uses these port ranges for translations

Block 1: 0–511

Block 2: 512–1023

Block 3: 1024–65535
Ports are allocated within the same block as the original source port. This behavior can’t be overridden to enforce subnet-specific ranges like 30000–39000 for 192.168.1.0/24. Source Link website 

Using the flat keyword allows ports 1024–65535 for all translations, but this applies globally and can’t be restricted to specific subnets Source link 

Possible work-around you can apply

! For 192.168.1.0/24  
object network PAT-IP-1  
  host 18.66.27.86  
nat (inside,outside) source dynamic 192.168.1.0/24 pat-pool PAT-IP-1 flat  

! For 192.168.2.0/24  
object network PAT-IP-2  
  host 18.66.27.87  # Second external IP  
nat (inside,outside) source dynamic 192.168.2.0/24 pat-pool PAT-IP-2 flat

Option 2 Workaround

Enable extended PAT to track destination IP/port, increasing concurrent translations

nat (inside,outside) source dynamic 192.168.1.0/24 pat-pool PAT-IP-1 extended  
nat (inside,outside) source dynamic 192.168.2.0/24 pat-pool PAT-IP-1 extended

 

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card