Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

2 PAT IP configured on ASA 7.2(5)4

How do Cisco ASA firewall with version 7.2(5)4 behave if we are using two PAT IPs for wide source network.

nat(inside) 1

global(outside) 1

global(outside) 1

We can see from firewall logs that one source IP from network uses both PAT IP going to same destination but different sessions.

Although user only access internet link once.

Should the firewall utilized first the (port from 1025-655535) before using

Or firewall will use it randomly.


Super Bronze

Re: 2 PAT IP configured on ASA 7.2(5)4


Do notice that when a user loads a web page it doesnt form only one TCP connection. Not all of the content are loaded from a single server so multiple TCP connections will be formed to load the complete page.

With regards to the Dynamic PAT,

It was my understanding originally that the ASA would use up the ports on the first PAT IP address configured and then the second PAT IP address. Judging by the output you have shared it would seem that the ASA does Round Robin with the 2 PAT IP addresses.

In the new ASA software levels configuring Dynamic PAT is a lot clearer as you are actually given clear options to choose how the Dynamic PAT or PAT pool behaves.

Here is a quote from a older Cisco ASA document about Dynamic NAT and PAT which to my eye seems that the first PAT IP address should be used first.

You can enter multiple global commands for one interface using the same NAT ID; the security appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and then uses the PAT global commands in order. You might want to enter both a dynamic NAT global command and a PAT global command  if you need to use dynamic NAT for a particular application, but want  to have a backup PAT statement in case all the dynamic NAT addresses are  depleted. Similarly, you might enter two PAT statements if you need  more than the approximately 64,000 PAT sessions that a single PAT mapped  statement supports

I marked the section in RED which seems to me to indicate that the Dynamic PAT address should be used in order.

- Jouni

CreatePlease to create content