many to many PAT

Unanswered Question
Mar 4th, 2013

Hi All,

Hope you are doing good. I am currently trying to configure PAT on our FWSM. There are a large number of hosts(four private /24 subnets) that need to be patted and they are ending up using all the ports that can be PATted via one ip address. Thus I am looking to place them behind a 16 ip addresses. Below is my config which isn't working correctly.

access-list PAT_HOSTS extended permit ip 192.168.1.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.2.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.3.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.4.0 255.255.255.0 any

nat (INSIDE1) 12 access-list PAT_HOSTS

nat (INSIDE2) 12 access-list PAT_HOSTS

global (OUTSIDE) 12 10.1.1.48-10.1.1.63 netmask 255.255.255.240

Could anybody please advise how can I achieve this?

Regards,

Nilesh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jouni Forss Mon, 03/04/2013 - 09:42

Hi,

So what you are saying that the single PAT IP addresses ports are being exhausted and any following connections/host wont get a translation?

The reason why your new NAT configuration doesnt work is that you are using NAT Pool. It just assing a single NAT IP address for single host. When it runs out of IP addresses you dont have any NAT IP addresses left. And this naturally happens fast with your setup. Even faster than using the single PAT IP address.

The solution would be to configure several "global" statements in the configuration.

Since you didnt provide the original configuration I will make up a sample configuration of Before and After situation

Before

global (OUTSIDE) 12 interface

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

After

  • If your goal is to simply add 1 or more PAT addresses to addres the problem of running out of ports then you just add an additional "global" statement/configuration

global (OUTSIDE) 12 interface

global (OUTSIDE) 12 10.1.1.48

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Also typically in situations where you have a sufficient NAT Pool BUT it might run out of address occasionally, you could configure NAT Pool + PAT as an overload address for when the NAT Pool runs out.

Basic configuration format could be for example

global (OUTSIDE) 12 10.1.1.2-10.1.1.253

global (OUTSIDE) 12 10.1.1.254

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Hope this helps

- Jouni

Actions

Login or Register to take actions

This Discussion

Posted March 4, 2013 at 9:36 AM
Stats:
Replies:1 Avg. Rating:
Views:220 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446