Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

many to many PAT

Hi All,

Hope you are doing good. I am currently trying to configure PAT on our FWSM. There are a large number of hosts(four private /24 subnets) that need to be patted and they are ending up using all the ports that can be PATted via one ip address. Thus I am looking to place them behind a 16 ip addresses. Below is my config which isn't working correctly.

access-list PAT_HOSTS extended permit ip 192.168.1.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.2.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.3.0 255.255.255.0 any

access-list PAT_HOSTS extended permit ip 192.168.4.0 255.255.255.0 any

nat (INSIDE1) 12 access-list PAT_HOSTS

nat (INSIDE2) 12 access-list PAT_HOSTS

global (OUTSIDE) 12 10.1.1.48-10.1.1.63 netmask 255.255.255.240

Could anybody please advise how can I achieve this?

Regards,

Nilesh

Everyone's tags (4)
1 REPLY
Super Bronze

Re: many to many PAT

Hi,

So what you are saying that the single PAT IP addresses ports are being exhausted and any following connections/host wont get a translation?

The reason why your new NAT configuration doesnt work is that you are using NAT Pool. It just assing a single NAT IP address for single host. When it runs out of IP addresses you dont have any NAT IP addresses left. And this naturally happens fast with your setup. Even faster than using the single PAT IP address.

The solution would be to configure several "global" statements in the configuration.

Since you didnt provide the original configuration I will make up a sample configuration of Before and After situation

Before

global (OUTSIDE) 12 interface

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

After

  • If your goal is to simply add 1 or more PAT addresses to addres the problem of running out of ports then you just add an additional "global" statement/configuration

global (OUTSIDE) 12 interface

global (OUTSIDE) 12 10.1.1.48

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Also typically in situations where you have a sufficient NAT Pool BUT it might run out of address occasionally, you could configure NAT Pool + PAT as an overload address for when the NAT Pool runs out.

Basic configuration format could be for example

global (OUTSIDE) 12 10.1.1.2-10.1.1.253

global (OUTSIDE) 12 10.1.1.254

nat (INSIDE1) 12 192.168.1.0 255.255.255.0

nat (INSIDE1) 12 192.168.2.0 255.255.255.0

nat (INSIDE2) 12 192.168.3.0 255.255.255.0

nat (INSIDE2) 12 192.168.4.0 255.255.255.0

Hope this helps

- Jouni

344
Views
0
Helpful
1
Replies