Showing results for 
Search instead for 
Did you mean: 


Dynamic NAT


One of my applications makes connections to a webserver, and because of the amount of data transmitted, if too many consecutive requests are sent, we are looked at as a DOS attack.  What I am wondering is if there is a way to have a single IP address on my internal network bound to a NAT pool so that communication to the outside uses a different IP address each time a connection is made.  Essentially I want the XLATE table to be cleared and a new IP address used for subsequent communication.  Think of it as a round robin approach. 

Any ideas on how I might do something like this or any suggestions on what I can do.




Hi Scott,

this is possible on ASA: dynamic PAT with PAT-pool and round-robin allocation requires ASA 8.4(2) and above:

syntax would look like:

object network PAT_POOL1


object network INSIDE_HOST1


   nat (inside,outside) dynamic pat-pool PAT_POOL1 round-robin

ASA# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic INSIDE_HOST1 pat-pool PAT_POOL1 round-robin

    translate_hits = 0, untranslate_hits = 0

    Source - Origin:, Translated (PAT):




I tested this out of interest yesterday and today with both Manual NAT and Auto NAT and it doesnt seem to work for a single source host. (Was running 8.4(5))

I have a couple of actual /29 public address blocks at home and made a PAT Pool of them for one of my computers.

The single host kept using the first address in the pool for all the PAT translations.

In todays test it seems if I include the whole LAN subnet and use multiple source addresses for connections then first source address uses first PAT address and second source address uses second PAT address.

So I am not all that sure the single host will benefit from this configuration as it seems it would have to exhaust all the ports again on the single PAT address before perhaps moving to next one. Atleast it seemed like that and I cant say that with 100% certainty.

- Jouni



Did you include the option for round robin as listed in the reply by Patrick?  I haven't had a chance to attempt his solution yet, but I am very interested in seeing if this works.

I appreciate your input and Patrick's.  If I can get this to work it will make my life easier.




Yes I did,

It didnt work with a single source address with either Manual NAT or Auto NAT configurations format if I was to believe the "packet-tracer" output.

Also as I have said I tried it with actual public IP addresses as the PAT Pool and browsed Internet for a while with my own computer. My computer only used the first PAT IP address from the "object" I defined, nothing else.

Later tests with "packet-tracer" seemed to indicate that if I configured an actual subnet as the source and used multiple different source addresses then each source address would get PATed to different public IP address in order.

Even if it was the case that this method didnt work I imagine I could define a NAT rule that would do this for a single host. The only problem really is that it wouldnt be a typical/clean configuration but I imagine it would be possible if you wanted such a configuration. I would still have to test that.

I guess this yet another special NAT configuration I should add to my NAT document

- Jouni


Hi Jouni,

you are absolutely correct about that, I think the doc explains it as "stickiness" to the PAT IP address for the same host as long as ports are available:

In the guidelines for PAT Pool:

If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.

Note: This "stickiness" does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.

You could maybe change your NAT based on the source port of the connection.

To do that you need to actually be able to control the source port used to establish the connection (might be tough to accomplish)...

You can have a different NAT entry per source port or for a range of source ports... should be tested to make sure it works. Apparently Source Dynamic PAT (hide) does not support port translation so you have to use static:

asa(config)# sh run object in-line

object network IN1 host

object network OUT1 host

object network OUT2 host

object service SP1 service tcp source range 1024 1048

object service SP2 service tcp source eq 5002


nat (inside,outside) source static IN1 OUT1 service SP1 SP1

nat (inside,outside) source static IN1 OUT2 service SP2 SP2


asa(config)# show nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static IN1 OUT1   service SP1 SP1

    translate_hits = 0, untranslate_hits = 0

    Source - Origin:, Translated:

    Service - Origin: tcp source range 1024 1048 , Translated: tcp source range 1024 1048

2 (inside) to (outside) source static IN1 OUT2   service SP2 SP2

    translate_hits = 0, untranslate_hits = 0

    Source - Origin:, Translated:

    Service - Origin: tcp source eq 5002 , Translated: tcp source eq 5002

You can also use the unidirectional keyword...


Content for Community-Ad