05-20-2010 08:51 AM - edited 03-08-2019 06:33 PM
Starting in version 8.4, the concept of the 'pat-pool' command was introduced. This document describes how PAT ports are allocated prior to version 8.4.
The ASA and PIX divide up the PAT port allocation range into three pools:
The firewall will look at the source port of the outbound packet, and build a PAT xlate using that same source port if it was available; If that source port xlate was already in use (previously allocated by the firewall), it would allocate the next subsequent free xlate port resideing in the same pool as the source port of the packet. The firewall would sequentially allocate PAT xlates using the appropriate pool range using the first global ip address available. When a new xlate needed to be built, the firewall would allocate the next sequential port available in the appropriate range (even if a previously used port had been freed). It would continue to allocate the new xlates sequentially; then once it hit 65535, it would go back (or "wrap") to the beginning of the appropriate pool of the same global ip to check for a free xlate and use one if it was found. If no free xlate was available for port range, it would then move to the next global ip address and attempt to allocate the same source port xlate, and restart the process. Therefore, the entire xlate pool for a particular port range would have to be completely exhausted before the firewall would move to the next global ip.
The firewall still has the concept of source port ranges, and picking a global port from the matching range for the global IP. When the firewall needs to build a new PAT xlate, it chooses a random port from within the matching global IP PAT pool range that matches the source port, and checks if it is available. If not, it then checks each sequential port in that global range to find a free one to use. If it reaches the end of the pool range without finding a free xlate, it wraps to the beginning of the global IP PAT list and continues to sequentially search for a free global xlate port. If none is found, the firewall moves to the next global IP and starts over there.
The key difference between this global PAT pool choice algorithm, and the algorithm used pre CSCsr28008, is that the ASA now effectively randomizes the global PAT port chosen.
If the firewall's global port range is exhausted, and there are no other global IPs to use with an open port in that range, the firewall will fail to create the translation, and send a reset packet back to the inside host (in the case of TCP), and the connection will fail. Here is an example:
jajohnst-5505# show nat pool
TCP PAT pool 172net, address 172.18.254.146, range 1-511, allocated 511 <------ pool exhausted
TCP PAT pool 172net, address 172.18.254.146, range 512-1023, allocated 0
TCP PAT pool 172net, address 172.18.254.146, range 1024-65535, allocated 38
Syslogs showing the allocation failing:
Mar 05 2010 12:07:50: %ASA-3-305006: portmap translation creation failed for tcp src 14net:14.36.103.220/129 dst 172net:172.18.124.187/80
Mar 05 2010 12:07:51: %ASA-3-305006: portmap translation creation failed for tcp src 14net:14.36.103.220/130 dst 172net:172.18.124.187/80
Note that starting in version 8.3, we have commands to help gain visibility into the utilization of the different ranges available on a global PAT IP:
jajohnst-5505# show nat pool
UDP PAT pool 14net, address 14.36.103.88, range 1-511, allocated 8
UDP PAT pool 14net, address 14.36.103.88, range 512-1023, allocated 0
UDP PAT pool 14net, address 14.36.103.88, range 1024-65535, allocated 7
TCP PAT pool 14net, address 14.36.103.88, range 1-511, allocated 1
TCP PAT pool 14net, address 14.36.103.88, range 512-1023, allocated 0
TCP PAT pool 14net, address 14.36.103.88, range 1024-65535, allocated 1
And some syslogs showing the firewall allocating ports in different ranges:
From an ASA running 8.3(1)
range 1-511
Mar 05 2010 11:06:09: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/297 to 172net:172.18.254.146/4
Mar 05 2010 11:06:10: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/298 to 172net:172.18.254.146/403
Mar 05 2010 11:06:11: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/299 to 172net:172.18.254.146/455
Mar 05 2010 11:06:12: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/300 to 172net:172.18.254.146/55
Mar 05 2010 11:06:13: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/301 to 172net:172.18.254.146/449
Mar 05 2010 11:06:14: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/302 to 172net:172.18.254.146/430
Mar 05 2010 11:06:15: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/303 to 172net:172.18.254.146/3
Mar 05 2010 11:06:16: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/304 to 172net:172.18.254.146/299
Mar 05 2010 11:06:17: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/305 to 172net:172.18.254.146/49
range 512-1023
Mar 05 2010 11:06:59: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1003 to 172net:172.18.254.146/638
Mar 05 2010 11:07:00: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1004 to 172net:172.18.254.146/964
Mar 05 2010 11:07:01: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1005 to 172net:172.18.254.146/951
Mar 05 2010 11:07:02: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1006 to 172net:172.18.254.146/529
Mar 05 2010 11:07:03: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1007 to 172net:172.18.254.146/738
Mar 05 2010 11:07:04: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1008 to 172net:172.18.254.146/584
Mar 05 2010 11:07:05: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1009 to 172net:172.18.254.146/537
range 1024-65535
Mar 05 2010 11:07:20: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1024 to 172net:172.18.254.146/55241
Mar 05 2010 11:07:21: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1025 to 172net:172.18.254.146/59923
Mar 05 2010 11:07:22: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1026 to 172net:172.18.254.146/28390
Mar 05 2010 11:07:23: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1027 to 172net:172.18.254.146/58459
Mar 05 2010 11:07:24: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1028 to 172net:172.18.254.146/31421
Mar 05 2010 11:07:25: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1029 to 172net:172.18.254.146/25290
Mar 05 2010 11:07:26: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1030 to 172net:172.18.254.146/27633
Mar 05 2010 11:07:27: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1031 to 172net:172.18.254.146/39090
Mar 05 2010 11:07:28: %ASA-6-305011: Built dynamic TCP translation from 14net:14.36.103.220/1032 to 172net:172.18.254.146/55198
We see the same behavior from an ASA running 8.2(2):
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/95 to 124net:172.18.124.234/208
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/96 to 124net:172.18.124.234/460
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/97 to 124net:172.18.124.234/296
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/98 to 124net:172.18.124.234/416
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/99 to 124net:172.18.124.234/309
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/100 to 124net:172.18.124.234/401
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/900 to 124net:172.18.124.234/595
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/901 to 124net:172.18.124.234/718
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/902 to 124net:172.18.124.234/626
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/903 to 124net:172.18.124.234/779
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2000 to 124net:172.18.124.234/65251
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2001 to 124net:172.18.124.234/13638
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2002 to 124net:172.18.124.234/31624
%ASA-6-305011: Built dynamic TCP translation from 36net:14.36.103.220/2003 to 124net:172.18.124.234/42485
Jay, great document. Is there a way of making this work with protocols that have specific source port requirements? EG Checkpoint VPN negotiation uses UDP/259 for both source and destination ports. The randomization of the source port as it passes through the PAT process seems to break the negotiation. Is there a workaround for getting these protocols to work in a PAT environment?
Daniel,
Unfortunately, with PAT on the ASA the source-port change is always enabled, and cannot be disabled. Your only workaround is to configure a static one-to-one translation for the inside vpn hosts (so no PAT), which would preserve the source port of the translation.
- Jay
I'll agree, great document. We've recently migrated a customer from a FWSM to an ASA. This customer uses the above mentioned VPN client. Now we are running into the problem that this customer can create ~500 VPN tunnels through the ASA since the mapping is done from the first port pools. The FWSM could handle sever thousend patted VPN tunnels before.
Also the manual describes it a little bit diffrent, but I belive Jays document is more accurate.
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
What the manual doesn't explain is about that this is only true for user/high ports.
One option to extend this would be adding additional pat addresses what we would like to avoid. Is there a chance to modify this behaviour that the pat port will be choosen from all pools, or at least from the biggest pool?
Oliver
Hey Oliver,
You're right, at this time the only option is to add an additional PAT port to the pool, which would add another 511 available translation slots. Your feedback regarding the feature is noted.
We have an open enhancement request that would help the global pool range become configurable, so you could modify the pool ranges. You can talk to your Cisco Account Team about this enhancement and they can work to prioritize the feature in a later release.
CSCtg99361 - ENH: PAT global port ranges should be configurable
Sincerely,
Jay
Hi Jay,
Thanks for that. I'll do so.
Best regards
Oliver
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: