Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
2
Replies

Question about PAT on ASA

Go to solution
Terence Lockette
Level 1
Level 1

‎03-03-2016 11:19 AM - edited ‎03-12-2019 12:26 AM

Hello all,

We currently have a set up where we're natting any and all networks to a range of public IP addresses.  We currently have a /24 of public IP space in which 123 of these addresses are used for dynamic NAT.  I want to reserve some of these addresses by creating a network object for each internal network that needs access to the Internet and then dynamically NAT it to a single IP of our public space.  We currently have around 15 internal networks so we could save a lot of public addresses with this solution.  I have tested it and it seems to work; however, my test was in a very small lab environment.  My question is will this type of set up have any drawbacks in a real production environment?  Most of our networks are either a /24, /23, /22, and we have a single /21 network.  Your feedback is valuable to this scenario.  Thanks in advance!

Regards,

Terence

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎03-07-2016 09:30 AM

Hi Terence,

This would work for sure in production as well. However if the internal network is big and makes lot of connections then  use pat-pool or range of mapped ip for the internal network so that internal network doesn't run out of mapped ip/port(pat-pool exhaust).

please use to link below to implement the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1455942

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎03-07-2016 09:30 AM

Hi Terence,

This would work for sure in production as well. However if the internal network is big and makes lot of connections then  use pat-pool or range of mapped ip for the internal network so that internal network doesn't run out of mapped ip/port(pat-pool exhaust).

please use to link below to implement the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1455942

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Akshay Rastogi

‎03-07-2016 09:41 AM

Thanks for your response Akshay,

It seem to test very well in my lab environment so I'm thinking of adding a PAT pool range for each internal network if I go forward with this.  Thanks again!

Regards,

Terence

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card