Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
2
Replies

Experience with NAT/PAT in ASA/FTD cluster

tvotna
Spotlight
Spotlight

‎10-10-2022 08:13 AM

Can anybody share his/her experience with NAT/PAT running in ASA/FTD cluster if PAT is handled in centralized mode?

This firewall is mostly used for inbound access, so almost all traffic goes through static NAT or static PAT, but we still have few dynamic PAT rules for outbound access. We want keep per-session PAT disabled with "xlate per-session deny tcp any4 any4" and don't want to allocate more IPs for PAT on member units, so in my understanding PAT will be handled in centralized mode on the master. Master unit throughput isn't a problem.

Any drawbacks in doing this?

And stupid question. Is classic syntax (without pat-pool keyword) supported in ASA cluster: nat (inside, outside) source dynamic real-ip-subnet global-object?

 

0 Helpful
2 Replies 2

manabans
Cisco Employee
Cisco Employee

‎10-21-2022 06:52 PM

NAT pool address distribution for dynamic PAT—The control node evenly pre-distributes addresses across the cluster. If a member receives a connection and they have no addresses assigned, then the connection is forwarded to the control node for PAT. If a cluster member leaves the cluster (due to failure), a backup member will get the PAT IP address, and if the backup exhausts its normal PAT IP address, it can make use of the new address. Make sure to include at least as many NAT addresses as there are nodes in the cluster, plus at least one extra address, to ensure that each node receives an address, and that a failed node can get a new address if its old address is in use by the member that took over the address. Use the show nat pool cluster command in the device CLI to see the address allocations.

Refer to the topic NAT and Clustering,
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/clustering_for_the_firepower_threat_defense.html#ID-2170-0000031b

0 Helpful

tvotna
Spotlight
Spotlight
In response to manabans

‎10-22-2022 04:34 AM

This doesn't answer my question, because we want to handle all dynamic PAT on the master unit only in order to minimize complexity and avoid numerous bugs and design issues in pre-9.15 releases, e.g. issues with multi-channel protocols and pool shortage / rebalancing.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card