Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Sticky NAT Translations

Greetings all:

Currently I have a dynamic NAT policy for several sets of internal /16s that will be NAT'd to say 128 public IPs. However we have had issues when devices are assigned xlates from two different public IPs (when one IP is ehxuasted). What I would like to do is force the firewall to either provide an xlate from the same external IP that's may have already been established within the xlate timeouts for that host or not at all. This is similar to the Juniper firewall function below.

"Set Sticky Dip

– When the sticky DIP is enabled, the Juniper firewall will ensure that  same address is assigned from the DIP pool (to a host) for multiple  concurrent sessions. "

I know that I can break the /16s into small groups and assign a public to each but this is very config intensive and an inefficient use of my publics due to some pools not utilizing all available ports while some may oversubscribe and be refused xlates altogether.

Is this possible on the ASA? Thank you for your help.

~Zoey

Everyone's tags (2)
1 REPLY
Super Bronze

Sticky NAT Translations

Hi,

I'm not sure if thats how ASAs NAT works. Atleast I havent been in that situation. But to my understanding ASA doesnt use the same NAT IP address for the same inside hosts concurrent connections. (But I cant really confirm this)

When you have these global NAT pools configured for the /16 networks, have you assigned also 1 PAT IP address to handle the situation where your NAT pool runs out? For example take some Pool range and use the last IP address of that range as PAT address.

For example the following configuration

global (outside) 192 192.168.1.100-192.168.1.199

global (outside) 192 192.168.1.200

nat (inside) 192 172.16.0.0 255.255.0.0

- Jouni

1611
Views
0
Helpful
1
Replies
CreatePlease to create content