Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
1
Replies

PAT pool problems. On 6.4.x. Found known issue for 6.3. How can I do this?

mn-sysadmin
Level 1
Level 1

‎07-08-2019 01:00 PM

2130 HA pair running 6.4.0.1.

 

I am setting up outgoing NAT/PAT. There are several internal interfaces with their own private subnets. My intent is to IP masquerade all outgoing connections from internal private subnet A to a pool of public IP's on my external interface using a PAT pool without round robin.

 

I configured the first internal subnet to do Auto dynamic NAT with the interface object defined for source and destination and set the Translated Object to be "Address" and put in the IP address of the external interface. By setting it to "Address" versus "Destination interface IP" it enabled the checkbox to enable a PAT pool. 

However when I go to save the config it errors out with this text

 

 

 

"Translated Source or Original Destination network IP address cannot overlap with Interface Ip address 

IP address overlap configurations observed for following interface configurations :

Interface Object [outside] having interfaces [outside] of device FTDv1

Specify Interface Object or specify an alternate IP address for Network Translation"

This is puzzling since of course the Translated address need to be defined on a firewall interface right?

 

I found this KB article referencing 6.3.0 which seems to indicate it is a bug, but it still doesnt work in 6.4.0.1

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvo68820

 

The only way I could get any sort of NAT to work was to do Auto Dynamic and not choose Address for the Translated field but use "Destination interface IP". But then PAT Pool is greyed out!

 

So at this point, all I can do is setup multiple rules that define the internal source private subnets/interfaces to NAT to the single external interface IP. 

 

But what I want is the following

Internal Private Subnet A -->  PAT pool of public ip's on the external interface public /23 subnet. X.X.X.1-X.X.X.4

Internal Private Subnet B -->  NAT/PAT to a different public ip on the external interface public /23 X.X.X.5

Internal Private Subnet C --> NAT/PAT to a different public ip on the external interface public /23 X.X.X.6

 

Appreciate any insights

Labels:
0 Helpful
1 Reply 1

mn-sysadmin
Level 1
Level 1

‎07-08-2019 01:41 PM

I think I may have figured this out. Here is what I did

 

 

On the Translation tab, I set the Translated Packet to "Address" but then just left it blank. Then went to the PAT Pool tab and set PAT to Address and selected an Object with a range of sequential public IP's

 

Is that the solution?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card