Cisco ASA 8.4 – No more Global Address Pools

There are a couple of ways to do NAT/PAT assignments as you might expect out of 8.4.  Assuming that you don’t really have a single Net Object that represents the entire inside network I recommend not using the Net-Object method and to define a rule “outside” of the Net-Object framework.

So first define a network object for NAT range of external IPs and then a PA  external IP address.  In cli it looks like this, these are external IPs just to be clear:

object network nat-range1

object network pat-ip1

You can do the same easily from the ASDM but I wanted to make sure the size of the block as a range instead of a subnet was visible.


Now from the NAT page create a new Dynamic  Rule,


The NAT Pool should look like this when done, I use inside to Outside2 here.


Note the nat-range object which used to be a “pool”.

Now add a PAT.  It cant overlap with the NAT pool, etc etc.  Don’t choose Round Robin as it’s memory intensive. I believe I read that 8.4 has an issue where it can run out of certain types of PAT ports (they try and group all ports below 1024 together, etc) that from what I gather is fixed in 8.51 <sigh>

Add Nat Rule after "Network Object" NAT Rules

Add Nat Rule after "Network Object" NAT Rules

Should look like this when done, I moved it to the top for clarity.


I recommend making this change separate from other work so it can be tested separately, TEST for a couple of hours make sure it is NATting and patting correctly under load is my advice.

  1. #1 by felix001 on January 5th, 2013

    Hey, great article you may also find this article useful as well if you are trying to learn 8.3 onwards…

(will not be published)

  1. No trackbacks yet.