We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Can anyone think of a way of cutting over to the new range without dropping existing connections? Thanks for looking!
Asked
Active
Viewed 943 times
1
-
Is the new range completely different, or merely an expanded (overlapping) range? – bahamat Oct 26 '12 at 01:16
-
It's a completely new range within the same overall subnet. i.e. the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22 – James Oct 26 '12 at 03:59
2 Answers
0
Based on your comment above it's impossible.
If you're completely changing the IP address of the external pool then whatever connections you have must be reestablished. The remote endpoint would need to somehow know to re-use the same session with a new IP address.
The only way it would be possible is if the entire old range is contained entirely within the new range. Even then I don't know what the ASA would do (but if it's designed right the existing sessions would continue). But I do know that if you're entirely changing your pool, all sessions must drop.
bahamat
- 6,193
- 23
- 28
0
As per the thread at https://supportforums.cisco.com/message/3769433 I can confirm that when you change the NAT rule, existing translations are maintained and new connections use the new pool.
James
- 143
- 7