Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1937
Views
0
Helpful
4
Replies

Dynamic PAT 9.1(x)

Go to solution
asotres
Level 1
Level 1

‎09-14-2013 02:44 AM - edited ‎03-11-2019 07:38 PM

Hi All

I have already set up a Dynamic PAT ( manual NAT) for Internet traffic as follows:

object network obj_any-inside

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) source dynamic obj_any-inside interface

Everything was good until,  I started to receive a NAT/PAT pool exhausted log message since we had 65,000 + NAT xlates, so I decided to add another Dynamic PAT with a range of ip adddresses without removing the original PAT

object network obj-A.A.A.A-B.B.B.B
range A.A.A.A B.B.B.B

nat (inside,outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin

And the question:

= Is this is a valid configuration in order to,  if the first PAT get exhausted the next xlate will hit the second PAT ( Pool range)  and start using the A.A.A.A as PAT address?

ASA5585-X-9.1# sh run nat

nat (inside,outside) source dynamic obj_any-inside interface

nat (inside,outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin

ASA5585-X-9.1# sh nat

2 (inside) to (outside) source dynamic obj_any-inside interface

    translate_hits = 1204998, untranslate_hits = 68047

3 (inside) to (outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B round-robin

    translate_hits = 0, untranslate_hits = 0

Thanks!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-14-2013 03:20 AM

Hi,

I have to say that I have yet to reach a situation where I would  have faced this problem as in our environments with bigger customer (on our scale) there is usually different Dynamic PAT addresses assigned for different sections/users of the network.

What I think you could probably do is combine both of the proposed Dynamic PAT configurations into a single configuration line

nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface round-robin

I would imagine this would enable to have both the range of PAT-addresses in use and the "interface" IP address also as a PAT IP address.

If you dont want to remove the original one I guess you could use a variant of the above command and add it with a priority/line number so it sits on top of the current Dynamic PAT rule. Though your current Dynamic PAT rules are Section 1 Twice NAT / Manual NAT rules so I am kind of wondering how the rest of the NAT rules are built if you have these rules at such a high priority.

I used the "after-auto" in the Twice NAT / Manual NAT configuration as I typically use the basic/default Dynamic PAT configuration at the very lowest priority so that they dont interfere with the operation of Static NAT/PAT or possibly some Policy type NAT/PAT configurations. I guess in your situation you would have to modify the above command to remove the "after-auto" and add a line number after the ")" to insert the rule on top of the current rules.

I guess there would be an option to change the "timeout pat-xlate 0:00:30" default value too BUT again I have not tested this or had to use it myself to this day.

What exactly is the traffic that manages to consume your whole PAT port range? Is there a lot of users or large amount of connections from fewer hosts? Have you checked the "show nat pool" output while this was happenning?

Maybe this configuration command might also help with your situation?

http://www.cisco.com/en/US/docs/security/asa/command-reference/wz.html#wp1837352

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-14-2013 03:20 AM

Hi,

I have to say that I have yet to reach a situation where I would  have faced this problem as in our environments with bigger customer (on our scale) there is usually different Dynamic PAT addresses assigned for different sections/users of the network.

What I think you could probably do is combine both of the proposed Dynamic PAT configurations into a single configuration line

nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface round-robin

I would imagine this would enable to have both the range of PAT-addresses in use and the "interface" IP address also as a PAT IP address.

If you dont want to remove the original one I guess you could use a variant of the above command and add it with a priority/line number so it sits on top of the current Dynamic PAT rule. Though your current Dynamic PAT rules are Section 1 Twice NAT / Manual NAT rules so I am kind of wondering how the rest of the NAT rules are built if you have these rules at such a high priority.

I used the "after-auto" in the Twice NAT / Manual NAT configuration as I typically use the basic/default Dynamic PAT configuration at the very lowest priority so that they dont interfere with the operation of Static NAT/PAT or possibly some Policy type NAT/PAT configurations. I guess in your situation you would have to modify the above command to remove the "after-auto" and add a line number after the ")" to insert the rule on top of the current rules.

I guess there would be an option to change the "timeout pat-xlate 0:00:30" default value too BUT again I have not tested this or had to use it myself to this day.

What exactly is the traffic that manages to consume your whole PAT port range? Is there a lot of users or large amount of connections from fewer hosts? Have you checked the "show nat pool" output while this was happenning?

Maybe this configuration command might also help with your situation?

http://www.cisco.com/en/US/docs/security/asa/command-reference/wz.html#wp1837352

- Jouni

0 Helpful

Go to solution
asotres
Level 1
Level 1
In response to Jouni Forss

‎09-14-2013 03:31 AM

Thanks Jouni , let me try combine both . I haven't checked the "show nat pool" , and most of the traffic is Internet Traffic , since this firewall is only for Egress Internet for all users, I could say that is the only NAT/PAT that we are running on this box for now!!!!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to asotres

‎09-14-2013 03:41 AM

Hi,

A quick test with a NAT Pool configurations where I had 2 Dynamic NAT configuration line below on my test firewall

object network NAT1

range 1.1.1.1 1.1.1.2

object network NAT2

range 2.2.2.1 2.2.2.2

nat (WLAN,WAN) after-auto source dynamic any NAT1

nat (WLAN,WAN) after-auto source dynamic any NAT2

When I tested what would happen with exhausting the 2 IP address range configured under "object network NAT1" what resulted was that the traffic hitting from a third source address hit the same first NAT rule and NAT failed for it.

3RD SOURCE ADDRESS PACKET-TRACER

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (WLAN,WAN) after-auto source dynamic any NAT1

Additional Information:

  • Additional Information should specify which translation is done. It doesnt so no translation was performed

Result:

input-interface: WLAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-xlate-failed) NAT failed

  • Translation failed

I am not sure if this will be the same for Dynamic PAT as the above configuration that I mentioned was Dynamic NAT with 2 IP address pools.

I guess if the Dynamic PAT ignores the following Dynamic PAT configurations in the same way then I would suggest considering creating a single Dynamic PAT Pool configuration with possinly adding the "interface" parameter as mentioned earlier.

Or you could create multiple Dynamic PAT rules but rather than specifying ANY source address, divice your internal networks in "object network" or "object-group network" and give them their own Dynamic PAT IP address.

- Jouni

0 Helpful

Go to solution
asotres
Level 1
Level 1
In response to Jouni Forss

‎09-14-2013 04:34 AM

thanks again Jouni

Now I'm using the following configs , and it seems that is working as expected. Now I only need to wait to exhausted the "interface" PAT address in order to confirm that uses the next PAT address defined on the range:

object network obj_any-inside
subnet 0.0.0.0 0.0.0.0

object network obj-A.A.A.A-B.B.B.B
range A.A.A.A B.B.B.B

nat (inside,outside) after-auto source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic obj_any-inside pat-pool obj-A.A.A.A-B.B.B.B interface
    translate_hits = 19728, untranslate_hits = 5854

by the way the xlate are hitting the "interface" outside , I was looking for that

Thanks!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card