ASA How the ASA allocates PAT translations pre-version 8.4

Jay Johnston · ‎05-20-2010

Starting in version 8.4, the concept of the 'pat-pool' command was introduced. This document describes how PAT ports are allocated prior to version 8.4.

PAT port allocation before the fix for CSCsr28008

The ASA and PIX divide up the PAT port allocation range into three pools:

1-511
512-1023
1024-65535

The firewall will look at the source port of the outbound packet, and build a PAT xlate using that same source port if it was available; If that source port xlate was already in use (previously allocated by the firewall), it would allocate the next subsequent free xlate port resideing in the same pool as the source port of the packet. The firewall would sequentially allocate PAT xlates using the appropriate pool range using the first global ip address available. When a new xlate needed to be built, the firewall would allocate the next sequential port available in the appropriate range (even if a previously used port had been freed). It would continue to allocate the new xlates sequentially; then once it hit 65535, it would go back (or "wrap") to the beginning of the appropriate pool of the same global ip to check for a free xlate and use one if it was found. If no free xlate was available for port range, it would then move to the next global ip address and attempt to allocate the same source port xlate, and restart the process. Therefore, the entire xlate pool for a particular port range would have to be completely exhausted before the firewall would move to the next global ip.

PAT port allocation after the fix for CSCsr28008 (late 2008)

The firewall still has the concept of source port ranges, and picking a global port from the matching range for the global IP. When the firewall needs to build a new PAT xlate, it chooses a random port from within the matching global IP PAT pool range that matches the source port, and checks if it is available. If not, it then checks each sequential port in that global range to find a free one to use. If it reaches the end of the pool range without finding a free xlate, it wraps to the beginning of the global IP PAT list and continues to sequentially search for a free global xlate port. If none is found, the firewall moves to the next global IP and starts over there.

The key difference between this global PAT pool choice algorithm, and the algorithm used pre CSCsr28008, is that the ASA now effectively randomizes the global PAT port chosen.

What happens if a global PAT pool range is exhausted?

If the firewall's global port range is exhausted, and there are no other global IPs to use with an open port in that range, the firewall will fail to create the translation, and send a reset packet back to the inside host (in the case of TCP), and the connection will fail. Here is an example:

jajohnst-5505# show nat pool

TCP PAT pool 172net, address 172.18.254.146, range 1-511, allocated 511 <------ pool exhausted

TCP PAT pool 172net, address 172.18.254.146, range 512-1023, allocated 0

TCP PAT pool 172net, address 172.18.254.146, range 1024-65535, allocated 38

Syslogs showing the allocation failing:

Mar 05 2010 12:07:50: %ASA-3-305006: portmap translation creation failed for tcp src 14net:14.36.103.220/129 dst 172net:172.18.124.187/80

Mar 05 2010 12:07:51: %ASA-3-305006: portmap translation creation failed for tcp src 14net:14.36.103.220/130 dst 172net:172.18.124.187/80

Example commands and syslogs showing PAT xlate allocation

Note that starting in version 8.3, we have commands to help gain visibility into the utilization of the different ranges available on a global PAT IP:

jajohnst-5505# show nat pool

UDP PAT pool 14net, address 14.36.103.88, range 1-511, allocated 8

UDP PAT pool 14net, address 14.36.103.88, range 512-1023, allocated 0

UDP PAT pool 14net, address 14.36.103.88, range 1024-65535, allocated 7

TCP PAT pool 14net, address 14.36.103.88, range 1-511, allocated 1

TCP PAT pool 14net, address 14.36.103.88, range 512-1023, allocated 0

TCP PAT pool 14net, address 14.36.103.88, range 1024-65535, allocated 1

And some syslogs showing the firewall allocating ports in different ranges:

From an ASA running 8.3(1)

range 1-511

Mar 05 2010 11:06:09: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/297 to 172net:172.18.254.146/4

Mar 05 2010 11:06:10: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/298 to 172net:172.18.254.146/403

Mar 05 2010 11:06:11: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/299 to 172net:172.18.254.146/455

Mar 05 2010 11:06:12: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/300 to 172net:172.18.254.146/55

Mar 05 2010 11:06:13: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/301 to 172net:172.18.254.146/449

Mar 05 2010 11:06:14: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/302 to 172net:172.18.254.146/430

Mar 05 2010 11:06:15: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/303 to 172net:172.18.254.146/3

Mar 05 2010 11:06:16: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/304 to 172net:172.18.254.146/299

Mar 05 2010 11:06:17: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/305 to 172net:172.18.254.146/49

range 512-1023

Mar 05 2010 11:06:59: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1003 to 172net:172.18.254.146/638

Mar 05 2010 11:07:00: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1004 to 172net:172.18.254.146/964

Mar 05 2010 11:07:01: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1005 to 172net:172.18.254.146/951

Mar 05 2010 11:07:02: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1006 to 172net:172.18.254.146/529

Mar 05 2010 11:07:03: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1007 to 172net:172.18.254.146/738

Mar 05 2010 11:07:04: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1008 to 172net:172.18.254.146/584

Mar 05 2010 11:07:05: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1009 to 172net:172.18.254.146/537

range 1024-65535

Mar 05 2010 11:07:20: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1024 to 172net:172.18.254.146/55241

Mar 05 2010 11:07:21: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1025 to 172net:172.18.254.146/59923

Mar 05 2010 11:07:22: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1026 to 172net:172.18.254.146/28390

Mar 05 2010 11:07:23: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1027 to 172net:172.18.254.146/58459

Mar 05 2010 11:07:24: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1028 to 172net:172.18.254.146/31421

Mar 05 2010 11:07:25: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1029 to 172net:172.18.254.146/25290

Mar 05 2010 11:07:26: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1030 to 172net:172.18.254.146/27633

Mar 05 2010 11:07:27: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1031 to 172net:172.18.254.146/39090

Mar 05 2010 11:07:28: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1032 to 172net:172.18.254.146/55198

We see the same behavior from an ASA running 8.2(2):

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/95 to 124net:172.18.124.234/208

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/96 to 124net:172.18.124.234/460

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/97 to 124net:172.18.124.234/296

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/98 to 124net:172.18.124.234/416

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/99 to 124net:172.18.124.234/309

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/100 to 124net:172.18.124.234/401

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/900 to 124net:172.18.124.234/595

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/901 to 124net:172.18.124.234/718

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/902 to 124net:172.18.124.234/626

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/903 to 124net:172.18.124.234/779

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2000 to 124net:172.18.124.234/65251

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2001 to 124net:172.18.124.234/13638

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2002 to 124net:172.18.124.234/31624

%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2003 to 124net:172.18.124.234/42485

daniel.bloom · ‎08-16-2010

Jay, great document. Is there a way of making this work with protocols that have specific source port requirements? EG Checkpoint VPN negotiation uses UDP/259 for both source and destination ports. The randomization of the source port as it passes through the PAT process seems to break the negotiation. Is there a workaround for getting these protocols to work in a PAT environment?

Jay Johnston · ‎08-25-2010

Daniel,

Unfortunately, with PAT on the ASA the source-port change is always enabled, and cannot be disabled. Your only workaround is to configure a static one-to-one translation for the inside vpn hosts (so no PAT), which would preserve the source port of the translation.

- Jay

omeuter · ‎09-15-2010

I'll agree, great document. We've recently migrated a customer from a FWSM to an ASA. This customer uses the above mentioned VPN client. Now we are running into the problem that this customer can create ~500 VPN tunnels through the ASA since the mapping is done from the first port pools. The FWSM could handle sever thousend patted VPN tunnels before.

Also the manual describes it a little bit diffrent, but I belive Jays document is more accurate.

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2, Chapter Configuring Dynamic NAT and PAT

PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

What the manual doesn't explain is about that this is only true for user/high ports.

One option to extend this would be adding additional pat addresses what we would like to avoid. Is there a chance to modify this behaviour that the pat port will be choosen from all pools, or at least from the biggest pool?

Oliver

Jay Johnston · ‎09-16-2010

Hey Oliver,

You're right, at this time the only option is to add an additional PAT port to the pool, which would add another 511 available translation slots. Your feedback regarding the feature is noted.

We have an open enhancement request that would help the global pool range become configurable, so you could modify the pool ranges. You can talk to your Cisco Account Team about this enhancement and they can work to prioritize the feature in a later release.

CSCtg99361 - ENH: PAT global port ranges should be configurable

Sincerely,

Jay

omeuter · ‎09-18-2010

Hi Jay,

Thanks for that. I'll do so.

Best regards

Oliver