cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
0
Helpful
1
Replies

many to many PAT

nileshrathi
Level 1
Level 1

Hi All,

Hope you are doing good. I am currently trying to configure PAT on our FWSM. There are a large number of hosts(four private /24 subnets) that need to be patted and they are ending up using all the ports that can be PATted via one ip address. Thus I am looking to place them behind a 16 ip addresses. Below is my config which isn't working correctly.

access-list PAT_HOSTS extended permit ip 192.168.1.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.2.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.3.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.4.0 255.255.255.0 any

nat (INSIDE1) 12 access-list PAT_HOSTS

nat (INSIDE2) 12 access-list PAT_HOSTS

global (OUTSIDE) 12 10.1.1.48-10.1.1.63 netmask 255.255.255.240

Could anybody please advise how can I achieve this?

Regards,

Nilesh

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So what you are saying that the single PAT IP addresses ports are being exhausted and any following connections/host wont get a translation?

The reason why your new NAT configuration doesnt work is that you are using NAT Pool. It just assing a single NAT IP address for single host. When it runs out of IP addresses you dont have any NAT IP addresses left. And this naturally happens fast with your setup. Even faster than using the single PAT IP address.

The solution would be to configure several "global" statements in the configuration.

Since you didnt provide the original configuration I will make up a sample configuration of Before and After situation

Before

global (OUTSIDE) 12 interface

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

After

  • If your goal is to simply add 1 or more PAT addresses to addres the problem of running out of ports then you just add an additional "global" statement/configuration

global (OUTSIDE) 12 interface

global (OUTSIDE) 12 10.1.1.48

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Also typically in situations where you have a sufficient NAT Pool BUT it might run out of address occasionally, you could configure NAT Pool + PAT as an overload address for when the NAT Pool runs out.

Basic configuration format could be for example

global (OUTSIDE) 12 10.1.1.2-10.1.1.253

global (OUTSIDE) 12 10.1.1.254

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Hope this helps

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: