Cisco ASA PAT Configuration

hello when ASA does port translations what are the range of port address it picks from >? and what is the maximum noumber of port translatiosn it can do

Hello Harshi

PAT divides the available ports per global IP address into three ranges:

  • 0-511
  • 512-1023
  • 1024-65535

Each global address will use one of these ranges. PAT assigns a unique source port for each TCP or UDP session. It attempts to assign the same port value of the original request, but if the original source port has already been assigned, it starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation.

Theoretically, the maximum number of ports that can be assigned is equal to the number of free ports available in the particular range being used. However, this limit will rarely if ever be reached due to the limitations of memory and CPU resources needed to manage so many translations. The more powerful the device, the more translations can be made.

I hope this has been helpful!

Laz

1 Like

Hi Rene,
This was the interface NAT, but I couldnt find the Port Address Translation, where the traffic will start using the port numbers to identify each server/host inside the LAN. Could you please suggest where am I going wrong in understanding ?

Hello Praveen

From the moment that Rene configured the inside portion of the object to contain a subnet with IP addresses ranging from 192.168.1.0 to 255.255.255.0, and the outside portion using a single IP address (using either the IP address itself or the interface keyword), PAT has indeed been configured. This is because we have a many-to-one mapping of inside to outside addresses, and the only way this can be achieved is by using Transport Layer port numbers to distinguish between communications. The output of the show xlate command shows how the inside address has been translated to the outside address/port number pair.

I hope this has been helpful!

Laz

Yeah, I can now imagine what he was trying to do. Thanks!

1 Like

1 )

object network test
 host 10.0.2.10

object network test
 nat (any, outside) dynamic interface

2 )

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

Hi what is the difference between 1 and 2

Thanks

Hello Sims

The first set of configuration code configures dynamic NAT. The host IP address is the real IP address that you want to translate. The second statement configures dynamic NAT for that IP address, and the translation takes place between any interface (all interfaces except outside) and the outside interface. The outside IP address used is that of the outside interface.

In the second case, you are creating a dynamic NAT configuration not for a single host, but for a range of addresses. Here you have specified the specific inside interface as INSIDE, and you have also explicitly states the outside IP address.

Both of these are examples of Network Object NAT. The first looks like it came from the configuration file of the device while the second shows the actual commands as they are inputted in the CLI.

For more info on Network Object NAT, take a look at the following Cisco Documentation.

I hope this has been helpful!

Laz

Hello,
In this command
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

  1. Why do you use this ip address and not an other ? I don’t understand
  2. And why if we use 192.168.2.254 there will be a mistake ?

Thanks a lot.

Hello Anas

When configuring PAT, the outside IP address you use can be the actual address on the outside interface, such as 192.168.2.254, or it can be any address within the same subnet, as long as it is not used by another device on that segment. So 192.168.2.253 can be used as well.

If you want to use some external routable IP addresses, typically you will find that ISPs will give you a /29 network, where you are given a number of public IP addresses. One of those can be assigned to the outside interface, while the rest can safely be used in your NAT translations. So you can either choose to use your actual assigned external IP address, or any other unassigned address in the same subnet.

I hope this has been helpful!

Laz

Hello,
Thanks for the answer but If I can use the real ip address (192.168.2.254)
Why is there a mistake ?

Thanks

Hello Anas

Ah, my apologies, I wasn’t clear. In the lesson, the method Rene uses won’t allow you to use the outside interface IP address. However, if you notice, he does say

Of course there’s another way to use the IP address on the OUTSIDE interface but I just wanted to show you what happens when you try to configure the IP address like this.

The other way you could configure it, which would allow you to use the outside IP address, which is also the way I had in mind in my explanation, is further described in this Cisco documentation:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#18425
The examples shown in the above link can also use the outside IP address of the interface.

I hope this has been helpful!

Laz