09-14-2013 02:44 AM - edited 03-11-2019 07:38 PM
Hi All
I have already set up a Dynamic PAT ( manual NAT) for Internet traffic as follows:
object network obj_any-inside
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic obj_any-inside interface
Everything was good until, I started to receive a NAT/PAT pool exhausted log message since we had 65,000 + NAT xlates, so I decided to add another Dynamic PAT with a range of ip adddresses without removing the original PAT
object network obj-A.A.A.A-B.B.B.B
range A.A.A.A B.B.B.B
nat (inside,outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin
And the question:
= Is this is a valid configuration in order to, if the first PAT get exhausted the next xlate will hit the second PAT ( Pool range) and start using the A.A.A.A as PAT address?
ASA5585-X-9.1# sh run nat
nat (inside,outside) source dynamic obj_any-inside interface
nat (inside,outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin
ASA5585-X-9.1# sh nat
2 (inside) to (outside) source dynamic obj_any-inside interface
translate_hits = 1204998, untranslate_hits = 68047
3 (inside) to (outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin
translate_hits = 0, untranslate_hits = 0
Thanks!!!
Solved! Go to Solution.
09-14-2013 03:20 AM
Hi,
I have to say that I have yet to reach a situation where I would have faced this problem as in our environments with bigger customer (on our scale) there is usually different Dynamic PAT addresses assigned for different sections/users of the network.
What I think you could probably do is combine both of the proposed Dynamic PAT configurations into a single configuration line
nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface round-robin
I would imagine this would enable to have both the range of PAT-addresses in use and the "interface" IP address also as a PAT IP address.
If you dont want to remove the original one I guess you could use a variant of the above command and add it with a priority/line number so it sits on top of the current Dynamic PAT rule. Though your current Dynamic PAT rules are Section 1 Twice NAT / Manual NAT rules so I am kind of wondering how the rest of the NAT rules are built if you have these rules at such a high priority.
I used the "after-auto" in the Twice NAT / Manual NAT configuration as I typically use the basic/default Dynamic PAT configuration at the very lowest priority so that they dont interfere with the operation of Static NAT/PAT or possibly some Policy type NAT/PAT configurations. I guess in your situation you would have to modify the above command to remove the "after-auto" and add a line number after the ")" to insert the rule on top of the current rules.
I guess there would be an option to change the "timeout pat-xlate 0:00:30" default value too BUT again I have not tested this or had to use it myself to this day.
What exactly is the traffic that manages to consume your whole PAT port range? Is there a lot of users or large amount of connections from fewer hosts? Have you checked the "show nat pool" output while this was happenning?
Maybe this configuration command might also help with your situation?
http://www.cisco.com/en/US/docs/security/asa/command-reference/wz.html#wp1837352
- Jouni
09-14-2013 03:20 AM
Hi,
I have to say that I have yet to reach a situation where I would have faced this problem as in our environments with bigger customer (on our scale) there is usually different Dynamic PAT addresses assigned for different sections/users of the network.
What I think you could probably do is combine both of the proposed Dynamic PAT configurations into a single configuration line
nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface round-robin
I would imagine this would enable to have both the range of PAT-addresses in use and the "interface" IP address also as a PAT IP address.
If you dont want to remove the original one I guess you could use a variant of the above command and add it with a priority/line number so it sits on top of the current Dynamic PAT rule. Though your current Dynamic PAT rules are Section 1 Twice NAT / Manual NAT rules so I am kind of wondering how the rest of the NAT rules are built if you have these rules at such a high priority.
I used the "after-auto" in the Twice NAT / Manual NAT configuration as I typically use the basic/default Dynamic PAT configuration at the very lowest priority so that they dont interfere with the operation of Static NAT/PAT or possibly some Policy type NAT/PAT configurations. I guess in your situation you would have to modify the above command to remove the "after-auto" and add a line number after the ")" to insert the rule on top of the current rules.
I guess there would be an option to change the "timeout pat-xlate 0:00:30" default value too BUT again I have not tested this or had to use it myself to this day.
What exactly is the traffic that manages to consume your whole PAT port range? Is there a lot of users or large amount of connections from fewer hosts? Have you checked the "show nat pool" output while this was happenning?
Maybe this configuration command might also help with your situation?
http://www.cisco.com/en/US/docs/security/asa/command-reference/wz.html#wp1837352
- Jouni
09-14-2013 03:31 AM
Thanks Jouni , let me try combine both . I haven't checked the "show nat pool" , and most of the traffic is Internet Traffic , since this firewall is only for Egress Internet for all users, I could say that is the only NAT/PAT that we are running on this box for now!!!!
09-14-2013 03:41 AM
Hi,
A quick test with a NAT Pool configurations where I had 2 Dynamic NAT configuration line below on my test firewall
object network NAT1
range 1.1.1.1 1.1.1.2
object network NAT2
range 2.2.2.1 2.2.2.2
nat (WLAN,WAN) after-auto source dynamic any NAT1
nat (WLAN,WAN) after-auto source dynamic any NAT2
When I tested what would happen with exhausting the 2 IP address range configured under "object network NAT1" what resulted was that the traffic hitting from a third source address hit the same first NAT rule and NAT failed for it.
3RD SOURCE ADDRESS PACKET-TRACER
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WLAN,WAN) after-auto source dynamic any NAT1
Additional Information:
Result:
input-interface: WLAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed
I am not sure if this will be the same for Dynamic PAT as the above configuration that I mentioned was Dynamic NAT with 2 IP address pools.
I guess if the Dynamic PAT ignores the following Dynamic PAT configurations in the same way then I would suggest considering creating a single Dynamic PAT Pool configuration with possinly adding the "interface" parameter as mentioned earlier.
Or you could create multiple Dynamic PAT rules but rather than specifying ANY source address, divice your internal networks in "object network" or "object-group network" and give them their own Dynamic PAT IP address.
- Jouni
09-14-2013 04:34 AM
thanks again Jouni
Now I'm using the following configs , and it seems that is working as expected. Now I only need to wait to exhausted the "interface" PAT address in order to confirm that uses the next PAT address defined on the range:
object network obj_any-inside
subnet 0.0.0.0 0.0.0.0
object network obj-A.A.A.A-B.B.B.B
range A.A.A.A B.B.B.B
nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface
translate_hits = 19728, untranslate_hits = 5854
by the way the xlate are hitting the "interface" outside , I was looking for that
Thanks!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide