Hello,

I am a bit confused about the PAT pool option when using auto NAT rules in FTD.

From my understanding when reading the configuration guide, we should use this option if we need more than a single public IP address for translation. https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/network_address_translation_nat_for_firepower_threat_defense.html 

However, I just tested to create an object-group with two Public IP addresses and used that as translated source. Even though I never enabled the PAT pool option in FTD, I'm still able to use both addresses in the object-group. The "show nat pool" command shows that when using all availible ports from the first Public IP, it then starting to use ports from the secondary one.

Here is the output from the show nat pool (I've changed the public addresses to private ones)

FTD-EXT-01# show nat pool ip 10.10.10.1
TCP PAT pool outside, address 10.10.10.1, range 1-1023, allocated 0
TCP PAT pool outside, address 10.10.10.1 range 1024-65535, allocated 62650
UDP PAT pool outside, address 10.10.10.1 range 1-1023, allocated 0
UDP PAT pool outside, address 10.10.10.1 range 1024-65535, allocated 14831

FTD-EXT-01# show nat pool ip 10.10.10.2
TCP PAT pool outside, address 10.10.10.2 range 1-1023, allocated 0
TCP PAT pool outside, address 10.10.10.2, range 1024-65535, allocated 54823
UDP PAT pool outside, address 10.10.10.2 range 1-1023, allocated 0
UDP PAT pool outside, address 10.10.10.2 range 1024-65535, allocated 15669

Is this an expected behaviour? The FTD is running version 7.2.1

Thanks

/Chess