cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
652
Views
0
Helpful
0
Replies

NAT pool transfer on Cisco ASA

mehulnangru
Level 1
Level 1

We have Cisco ASA in "active-active" clusters , if there is a change of roles from master to slave (or vice versa) on any member of the cluster, there is a chance that the NAT pool ownership may not get transferred in the process. As a result, the new master device may not be able to allocate a NAT IP for valid traffic from its NAT pool because the pool is owned by the other unit, and there aren't enough unique IP addresses in the pool for use by both members of the cluster.

Cisco has investigated this and said that this is due to a design issue which according to them does not follow the best practice. The best practice is to have at least as many IP addresses configured in the NAT pool as there are members in the cluster. Please note that the aforementioned problem appears to affect NAT port-address translation (PAT) scenarios, and not all ASA clusters may have PAT set up.


0 Replies 0
Review Cisco Networking for a $25 gift card