03-04-2013 09:36 AM - edited 03-11-2019 06:09 PM
Hi All,
Hope you are doing good. I am currently trying to configure PAT on our FWSM. There are a large number of hosts(four private /24 subnets) that need to be patted and they are ending up using all the ports that can be PATted via one ip address. Thus I am looking to place them behind a 16 ip addresses. Below is my config which isn't working correctly.
access-list PAT_HOSTS extended permit ip 192.168.1.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.2.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.3.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.4.0 255.255.255.0 any
nat (INSIDE1) 12 access-list PAT_HOSTS
nat (INSIDE2) 12 access-list PAT_HOSTS
global (OUTSIDE) 12 10.1.1.48-10.1.1.63 netmask 255.255.255.240
Could anybody please advise how can I achieve this?
Regards,
Nilesh
03-04-2013 09:42 AM
Hi,
So what you are saying that the single PAT IP addresses ports are being exhausted and any following connections/host wont get a translation?
The reason why your new NAT configuration doesnt work is that you are using NAT Pool. It just assing a single NAT IP address for single host. When it runs out of IP addresses you dont have any NAT IP addresses left. And this naturally happens fast with your setup. Even faster than using the single PAT IP address.
The solution would be to configure several "global" statements in the configuration.
Since you didnt provide the original configuration I will make up a sample configuration of Before and After situation
Before
global (OUTSIDE) 12 interface
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
After
global (OUTSIDE) 12 interface
global (OUTSIDE) 12 10.1.1.48
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
Also typically in situations where you have a sufficient NAT Pool BUT it might run out of address occasionally, you could configure NAT Pool + PAT as an overload address for when the NAT Pool runs out.
Basic configuration format could be for example
global (OUTSIDE) 12 10.1.1.2-10.1.1.253
global (OUTSIDE) 12 10.1.1.254
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide