Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Why is there both NAT and PAT entries in the xlate table for the same local IP address?

Question: Why is there both NAT and PAT entries in the xlate table for the same local IP address?

This write-up will focus on ASA and ASASM version 8.3 and above. It does NOT focus on similar behavior in version 8.2 or before, or the FWSM.

Short Answer: A dynamic NAT global object-group must contain both host-based and range/subnet-based objects. The ASA will first allocate all the range/subnet IP addresses as 1:1 NAT mappings. Next, it will allocate the host IP addresses as N:1 PAT mappings. Finally, after a N:1 PAT xlate is created, a global IP in the 1:1 pool is freed and used. The PAT xlate will not be transitioned when the NAT xlate is built because it would break the connection.

Long Answer:

The the below xlate output for a single inside IP address. This can be obtained with either the 'show local-host 10.1.1.10' command or the 'show xlate local 10.1.1.10' command.

NAT from inside:10.173.64.136 to outside:31.203.253.30 flags i idle 0:00:01 timeout 0:04:00

TCP PAT from inside:10.173.64.136/52093 to outside:212.43.23.243/22824 flags ri idle 0:11:41 timeout 0:00:30

The related NAT configuration is as follows:

object network obj-

host 1.1.1.1

object network obj-

range 2.2.2.1 2.2.2.10

!

object-group network global_outside

  network-object object obj-1.1.1.1

  network-object object obj-2.2.2.1-2.2.2.10

!

object network obj-10.1.1.10

host 10.1.1.10

  nat (inside,outside) dynamic global_outside

Note that the "global_outside" object-group contains both host-based objects and range-based objects. Also note that we are using a dynamic Network Object NAT rule. When these are configured together, the range-based objects imply 1:1 NAT, while host-based objects imply N:1 PAT. The NAT engine will prioritize the 1:1 IP address range mappings before allocating any PAT. Once the IP addresses in the range are allocated, PAT will be used to the host-based object in the pool.

Keep in mind that existing xlates are checked prior to the NAT rule  table when building new connections. If a matching xlate exists (such as  a 1:1 Dynamic NAT), then the ASA will use that entry for the  translation. If there is no matching xlate built and all the IP ranges  are used up, then the ASA will fallback to PAT. Since PAT mappings are  very specific, in the case of TCP they will generally only exist for the  duration of the TCP session. After the TCP session is torn down, the 30  second idle timer will quickly remove the PAT xlate.

Now lets assume that all the IP addresses in all the global pool ranges  are in use. This means that the ASA will need to utilize one of the  host-based objects in the pool for PAT. That PAT xlate will remain up  until that connection is removed. However, if an IP address in the  global 1:1 pool becomes available, the ASA will use that for the next  connection and all new connections until it times out. When this xlate  is built, the ASA cannot retroactively move the existing PAT xlates to  the new 1:1 mapping. This would break the connection. So instead, the  old conn and xlate must endure until completion.

Here is an example series of events. Assume all connections are from Inside to Outside.

1) ASA receives a new SYN packet building a conn:

  10.1.1.10/12345 to 3.3.3.3/80

2) Check for existing xlate fails, no matching xlate in the table. The ASA must build a new xlate for this connection.

3) The matching NAT rule contains both IP host objects and range objects (see above config)

4) NAT engine checks nat pool ranges for available 1:1 dynamic mapping... Fails.

5) NAT engine checks nat pool hosts for available N:1 dynamic mapping... Success!

A dynamic PAT xlate is built for this connection. Ex:

   TCP PAT from inside:10.1.1.10/12345 to outside:1.1.1.1/12345 flags ri idle 0:11:41 timeout 0:00:30

6) ASA receives a new SYN packet building a conn:

  10.1.1.10/12345 to 4.4.4.4/80

7) Check for existing xlate fails, no matching xlate in the table. The ASA must build a new xlate for this connection.

8) This time, the NAT engine checks nat pool ranges for available 1:1 dynamic mapping... Success!

A dynamic 1:1 NAT xlate is built. Ex:

  NAT from inside:10.1.1.10 to outside:2.2.2.7 flags i idle 0:00:01 timeout 0:04:00

Final 'show local 10.1.1.10' output:

   Xlate:

     NAT from inside:10.1.1.10 to outside:2.2.2.7 flags i idle 0:00:01 timeout 1:00:00

     TCP PAT from inside:10.1.1.10/12345 to outside:1.1.1.1/12345 flags ri idle 0:11:41 timeout 0:00:30

   Conn:

     TCP outside 3.3.3.3/80 inside 10.1.1.10/12345, idle 0:00:01, bytes 103587, flags UIO

     TCP outside 4.4.4.4/80 inside 10.1.1.10/12345, idle 0:05:53, bytes 9937, flags UIO

Version history
Revision #:
1 of 1
Last update:
‎01-09-2012 09:07 AM
Updated by:
 
Labels (1)