Adaptive Security Appliance (ASA) Cisco

Cisco ASA 8.4 – No more Global Address Pools

There are a couple of ways to do NAT/PAT assignments as you might expect out of 8.4.  Assuming that you don’t really have a single Net Object that represents the entire inside network I recommend not using the Net-Object method and to define a rule “outside” of the Net-Object framework.

So first define a network object for NAT range of external IPs and then a PA  external IP address.  In cli it looks like this, these are external IPs just to be clear:

object network nat-range1

object network pat-ip1

You can do the same easily from the ASDM but I wanted to make sure the size of the block as a range instead of a subnet was visible.


Now from the NAT page create a new Dynamic  Rule,


The NAT Pool should look like this when done, I use inside to Outside2 here.


Note the nat-range object which used to be a “pool”.

Now add a PAT.  It cant overlap with the NAT pool, etc etc.  Don’t choose Round Robin as it’s memory intensive. I believe I read that 8.4 has an issue where it can run out of certain types of PAT ports (they try and group all ports below 1024 together, etc) that from what I gather is fixed in 8.51 <sigh>

Add Nat Rule after "Network Object" NAT Rules

Add Nat Rule after "Network Object" NAT Rules

Should look like this when done, I moved it to the top for clarity.


I recommend making this change separate from other work so it can be tested separately, TEST for a couple of hours make sure it is NATting and patting correctly under load is my advice.


Related Posts