Sticky NAT Translations

Zoey Fahner · ‎01-13-2012

Greetings all:

Currently I have a dynamic NAT policy for several sets of internal /16s that will be NAT'd to say 128 public IPs. However we have had issues when devices are assigned xlates from two different public IPs (when one IP is ehxuasted). What I would like to do is force the firewall to either provide an xlate from the same external IP that's may have already been established within the xlate timeouts for that host or not at all. This is similar to the Juniper firewall function below.

"Set Sticky Dip

– When the sticky DIP is enabled, the Juniper firewall will ensure that same address is assigned from the DIP pool (to a host) for multiple concurrent sessions. "

I know that I can break the /16s into small groups and assign a public to each but this is very config intensive and an inefficient use of my publics due to some pools not utilizing all available ports while some may oversubscribe and be refused xlates altogether.

Is this possible on the ASA? Thank you for your help.

~Zoey

Jouni Forss · ‎01-19-2012

Hi,

I'm not sure if thats how ASAs NAT works. Atleast I havent been in that situation. But to my understanding ASA doesnt use the same NAT IP address for the same inside hosts concurrent connections. (But I cant really confirm this)

When you have these global NAT pools configured for the /16 networks, have you assigned also 1 PAT IP address to handle the situation where your NAT pool runs out? For example take some Pool range and use the last IP address of that range as PAT address.

For example the following configuration

global (outside) 192 192.168.1.100-192.168.1.199

global (outside) 192 192.168.1.200

nat (inside) 192 172.16.0.0 255.255.0.0

- Jouni