Configure PAT with Port Block Allocation

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). If you allocate a block of ports, subsequent connections from the host use new randomly-selected ports within the block. If necessary, additional blocks are allocated if the host has active connections for all ports in the original block. Blocks are freed when the last xlate that uses a port in the block is removed.

The main reason for allocating port blocks is reduced logging. The port block allocation is logged, connections are logged, but xlates created within the port block are not logged. On the other hand, this makes log analysis more difficult.

Port blocks are allocated in the 1024-65535 range only. Thus, if an application requires a low port number (1-1023), it might not work. For example, an application requesting port 22 (SSH) will get a mapped port within the range of 1024-65535 and within the block allocated to the host. You can create a separate NAT rule that does not use block allocation for applications that use low port numbers; for twice NAT, ensure the rule comes before the block allocation rule.

Before you begin

Usage notes for NAT rules:

  • You can include the Use Round Robin Allocation option, but you cannot include the options for extending PAT uniqueness, using a flat range, including the reserved ports, or falling through to interface PAT. Other source/destination address and port information is also allowed.

  • As with all NAT changes, if you replace an existing rule, you must clear xlates related to the replaced rule to have the new rule take effect. You can clear them explicitly or simply wait for them to time out. When operating in a cluster, you must clear xlates globally across the cluster.

    Note

    If you are switching between a regular PAT and block allocation PAT rule, for object NAT, you must first delete the rule, then clear xlates. You can then create the new object NAT rule. Otherwise, you will see pat-port-block-state-mismatch drops in the show asp drop output.

  • For a given PAT pool, you must specify (or not specify) block allocation for all rules that use the pool. You cannot allocate blocks in one rule and not in another. PAT pools that overlap also cannot mix block allocation settings. You also cannot overlap static NAT with port translation rules with the pool.

Procedure

Step 1

(Optional.) Configure global PAT port block allocation settings.

There are a few global settings that control port block allocation. If you want to change the defaults for these options, you must configure a FlexConfig object and add it to your FlexConfig policy.

  1. Select Objects > Object Management > FlexConfig > FlexConfig Object and create a new object.

  2. Configure the block allocation size, which is the number of ports in each block.

    xlate block-allocation size value

    The range is 32-4096. The default is 512. Use the “no” form to return to the default.

    If you do not use the default, ensure that the size you choose divides evenly into 64,512 (the number of ports in the 1024-65535 range). Otherwise, there will be ports that cannot be used. For example, if you specify 100, there will be 12 unused ports.

  3. Configure the maximum blocks that can be allocated per host.

    xlate block-allocation maximum-per-host number

    The limit is per protocol, so a limit of 4 means at most 4 UDP blocks, 4 TCP blocks, and 4 ICMP blocks per host. The range is 1-8, the default is 4. Use the “no” form to return to the default.

  4. (Optional.) Enable interim syslog generation.

    xlate block-allocation pba-interim-logging seconds

    By default, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates the following message at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block. You can specify an interval from 21600-604800 seconds (6 hours to 7 days).

    %ASA-6-305017: Pba-interim-logging: Active protocol block of ports for translation from real_interface:real_host_ip to mapped_interface:mapped_ip_address/start_port_num-end_port_num

    Example:

    The following example sets the block allocation size to 64, the per-host maximum to 8, and enables interim logging every 6 hours.

    
xlate block-allocation size 64
xlate block-allocation maximum-per-host 8
xlate block-allocation pba-interim-logging 21600

  5. Select the following options in the FlexConfig object:

    • Deployment = Everytime

    • Type = Append

  6. Click Save to create the FlexConfig object.

  7. Select Devices > FlexConfig, and create or edit the FlexConfig policy that is assigned to the devices that need to have these settings adjusted.

  8. Select your object in the available objects list and click > to move it to the selected objects list.

  9. Click Save.

    You can click Preview Config, select one of the target devices, and verify that the xlate commands appear correctly.

Step 2

Add NAT rules that use PAT pool port block allocation.

  1. Select Devices > NAT and add or edit the threat defense NAT policy.

  2. Add or edit a NAT rule and configure at least the following options.

    • Type = Dynamic

    • In Translation > Original Source, select the object that defines the source address.

    • On PAT Pool, configure the following options:

      • Select Enable PAT Pool

      • In PAT > Address, select a network object or group that defines the pat pool.

      • Select the Block Allocation option.

  3. Save your changes to the rule and to the NAT policy.