Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
fly
Community Member

Can i config same inside ip translate to one same outside ip when using multiple PAT global ip address

global (outside) 1 103.191.12.3-203.192.13.34

global (outside) 1 103.191.12.1

global (outside) 1 103.191.12.2

nat (inside) 1 10.20.216.0 255.255.255.0

nat (inside) 1 10.20.217.0 255.255.255.0

nat (inside) 1 10.20.176.0 255.255.252.0

nat (inside) 1 10.20.180.0 255.255.252.0

nat (inside) 1 10.20.220.0 255.255.252.0

from config, inside one same ip may translate to different outside global ip address.  that has some problem when visit some web site using src dst loadbalance .

i know i can split this ip address to diffrent group, one group using one outside global ip address. but this is not perfect,  when running out of one outside global address,  we must re-split inside ip address.

is there any perfect way to config in this situation?

thank you!

3 REPLIES
fly
Community Member

Can i config same inside ip translate to one same outside ip whe

no one answer me?

Community Member

Re: Can i config same inside ip translate to one same outside ip

Hello,

I'm not exactly sure what the question is. Are you asking how you can minimize the differences in the outside IP address?

If that's the case, you might remember that the following statement doesn't use PAT. It will translate one host per outside IP listed (one host to .3, another to .4, etc.. until it reaches .34. ).

"global (outside) 1 103.191.12.3-203.192.13.34"

If you separate this statement into the following, the ASA will translate to one single address until that is full (using PAT) and will then move on to the next one:

"

global (outside) 1 103.191.12.3

global (outside) 1 103.191.12.4

. . .

"

Hope this helps!

Joey

fly
Community Member

Re: Can i config same inside ip translate to one same outside ip

Hi joey

     thank you!

     i config multple pat address in same group (group number is 1)

    

global (outside) 1 103.191.12.3-203.192.13.34

global (outside) 1 103.191.12.1

global (outside) 1 103.191.12.2

 

    global (outside) 1 has two pat address 103.191.12.1 and 103.191.12.2.

    

     when one inside computer A visit internet,  this computer A has internal
              ip adress 10.20.216.235.

    when there many users in inside network, PAT kick in, when comupter A visit
    a bank web site on internet (https), i found computer may establieshed
    6 connections , this 6 connections using PAT,
     i found ASA translate 10.20.216.235 to different PAT global address.

    for example:

   

ASA# show conn | i 10.20.216.235 

TCP outside 123.127.121.2:443 inside 10.20.216.235:1835, idle 0:00:11, bytes 6792, flags UIO

TCP outside 123.127.121.2:443 inside 10.20.216.235:1831, idle 0:00:11, bytes 2141, flags UIO


//123.127.121.2 is bank address

ASA# show xlate | i 10.20.216.235
PAT Global 103.191.12.1(36566) Local 10.20.216.235(1835)
PAT Global 103.191.12.2(65108) Local 10.20.216.235(1831)

from above you can see,when inside users has many connection(there are 2000 computers)

to internet ,PAT kick in,10.210.216.235 computer A established two connections to bank
web server. but ASA tranlate 10.20.216.235 to two different PAT Global address for

this two connection come from same inside ip address.
this is normal for PAT.   But bring a problem, because bank web site using src
dst load balance ,this two connections load balance to two different web server,
because src ip address is different,i can't modify bank web site. 
how can i config ASA translate 10.20.216.235 to same PAT global address, not round robin. 
thank you!
Tom

226
Views
0
Helpful
3
Replies
CreatePlease to create content