Coming soon - Get a detailed view of why an account is flagged as spam!
view details

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

4
Cisco ASA - Dynamic PAT - PAT Pool options - NOTES
Post Body

Hello,

I was reviewing some of the options the Cisco ASA/ASAx provided for Dynamic PAT and put together informal notes for myself. Putting them here also in case it would help someone:

Starting Objects:

object network INSIDE-NET
 subnet 10.0.0.0 255.255.255.0

object network DPAT
  host 72.9.9.100

object network DNAT
  range 72.9.9.101 72.9.9.103

object network DPAT-RANGE
  range 72.9.9.201 72.9.9.203

Basic Dynamic PAT and Dynamic NAT

Regular Dynamic PAT -- mapped IP is an object defined with a Host or Subnet, or an Object-Group

nat (inside,outside) source dynamic INSIDE-NET DPAT

Regular Dynamic NAT -- mapped IP is an object defined with a Range

nat (inside,outside) source dynamic INSIDE-NET DNAT

To use Range object as DPAT use pat-pool:

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE

To customize how the ASA allocates IP addresses or Ports in Dynamic PAT, use pat-pool and the arguments that follow.

IP Address allocation

By default, Dynamic PAT uses IP address one at a time. i.e, if three IP addresses are in a pat-pool, all ports for the first IP address are used before starting to use the second IP address, and so on.

This can be changed using the "round-robin" argument:

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE round-robin

Port allocation

By default, DPAT assures unique source ports but keeps source ports in same blocks:

  • block 1 - ports 0 to 511
  • block 2 - ports 512 to 1023
  • block 3 - ports 1024 to 65535

Meaning if a connection arrives with source port 300, and the ASA has to re-randomize the source port, it will pick a new port number in the range of 0-511. For applications that use source ports of 0-511, this limits the maximum concurrent connections to 511.

There are three options to change this:

To re-randomize ports in the range of 1024-65535, use flat argument:

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE flat

To re-randomize ports in the range of 1-65535, use flat include-reserve

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE flat include-reserve

To assign internal hosts "blocks" of ports they can use, use block-allocation argument:

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE block-allocation

Block sizes are 512 ports by default, and can be customized with these commands:

xlate block-allocation size <32-4096>

The block size must be a dividable by 64512 to ensure all ports are usable (the number of ports in the 1024-65535 range). For instance, if a block size of 100 is chosen, 12 ports will be unusable.

Use case for Block allocation is to reduce logging when port-allocation accounting is enabled for large scale NAT/CGNAT. If a host makes 500 different connections, that is 500 xlate log messages to log each assigned source port. If block-allocation is enabled, then only 1 log message is created indicating the host has been allocated a set of 512 ports.

By default, if a host uses all the ports in their assigned block, additional blocks will be assigned to the host. This can be limited with this command: 

xlate block-allocation maximum-per-host <1-8>

Extended Dynamic PAT

By default, Dynamic PAT ensures unique Source Ports for each IP address in the Dynamic PAT Pool. Limiting each Dynamic PAT Pool IP to approximately 65k concurrent connections.

Instead, the ASA can keep track of the Destination IP and Port as well so that two internal hosts and use the same source port as long as they are speaking to different external hosts. To use this feature use the extended argument:

nat (inside,outside) source dynamic INSIDE-NET pat-pool DPAT-RANGE extended

This increases the maximum concurrent connections possible at the cost of utilizing more RAM on the ASA.

Notice, three connections from three hosts each using source port 333. All three were mapped to the same DPAT IP (72.9.9.201) and Source Port 333, because they were going to different destinations (72.9.9.98 / .99 / .97)

TCP PAT from inside:10.0.0.104/333 to outside:72.9.9.201/333(72.9.9.98) flags rie idle 0:00:01 timeout 0:00:30
TCP PAT from inside:10.0.0.103/333 to outside:72.9.9.201/333(72.9.9.99) flags rie idle 0:00:01 timeout 0:00:30
TCP PAT from inside:10.0.0.105/333 to outside:72.9.9.201/333(72.9.9.97) flags rie idle 0:00:01 timeout 0:00:30

One day I might turn this into a blog post with pretty formatting. In the mean time, hope this helps.

PS: If you want a more thorough rundown on NAT on a Cisco ASA, check out this configuration guide:

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

Author
Account Strength
100%
Account Age
8 years
Verified Email
Yes
Verified Flair
No
Total Karma
13,181
Link Karma
7,302
Comment Karma
4,182
Profile updated: 1 month ago
Posts updated: 11 months ago
erh_

Subreddit

r/ccnp

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
4 years ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/ccnp/commen...