ASA Port Exhaustion

cisco-asa

Our Branch Offices routes all their traffic to our Headquarter through an MPLS connection, all the traffic then goes through an ASA Firewall to be inspected before being natted to a public address and routed to the internet.

Both our Branch sites and HQ uses the same public address to reach the internet, we are about to deploy an application which can potentially create 8 new connections per. internal user, i'm worried that we will have more than 65535 connections and therefore run out of ports.

Are there any way i can see how many active connections i have that uses this specific public address?

'Show connections count' won't give me the precise result as we have a tons of other sites being natted to different public IPs, but i'm only interested in seeing the amount of connections for this specific IP so i can find out whether i need to split them up into multiple public ip-adresses.

Best Answer

You should use show xlate set of commands, they give you all current translation information (NAT/PAT) while show conn just gives your the information of (real) source and (real) destination IPs.

Let's say you have a public IP address (11.22.33.44) which is used for NAT/PAT, below are commands you can use to get what you want (please try with other options and check the outputs):
- show xlate global 11.22.33.44
- show xlate | i 11.22.33.44
On the other hand, by using show xlate local, you will get exact informaion and verify which public IP address is being used as NATted IP address for your local/internal private IP (let's say 192.168.100.80):
- show xlate local 192.168.100.80
- show xlate | i 192.168.100.80
Check the outputs of show xlate | i 192.168.100.80 and show conn | i 192.168.100.80, you will get more ideas.

I hope this is helpful and answers your question.

Related Solutions

Cisco – Placement of firewall for VPN RA and L2L tunnels

Should the inside interface of the 5545 land first on the L2 edge switches and then trunk to the agg switches for better security or just have the inside drop straight into the Agg layer, also considering that private line traffic may come through yet another interface on the 5545 in the future

Since you did not say that the L2s would be running ACLs, I would not see a difference. I am guessing you will run tagging on the inside ASAs to the distribution layer. My firewalls connect directly to aggregation switches with a dedicated vlan that runs HSRP/VRRP between each set of firewalls and the agg switches.

As to private line traffic, I do not use ASA but I think they have the zones construct like IOS ZBF and you will keep VPN traffic from going to/from the private line traffic without going through packet filtering.

It sounds like default route points to the 5540 and you will use more specific routes to get to your internal VPN access pools and the private line addresses. The 5545 has the default route pointing to the 5540 and it is ok for VPN traffic to hit the internet directly (don't know if you split tunnel on your VPN clients) and other routes to your internal address space.

So I can not see any real problems with your plan. But some of my above assumptions may be wrong

Routing – How to use secondary internet exclusively for one host

ip policy route-map

that command permit to create differentiate policy to the routing table:
http://www.ciscozine.com/pbr-route-a-packet-based-on-source-ip-address/

create an acl to define the traffic to internet that shall pass on ASA7

2851(config)# ip access-list exended SERVER
2851(config-ext-nacl)# deny ip any 192.168.0.0 0.0.3.255
2851(config-ext-nacl)# permit ip host 192.168.0.100 any

create a route-map to ASA7 destination

2851(config)# route-map ASA7
2851(config-route-map)# match ip address SERVER
2851(config-route-map)# set ip next-hop 192.168.0.7

apply the route-map to the correct interface (the one pointing to the asa)

2851(config)#interface fa0/0
2851(config-if)#ip policy route-map ASA7

I never try this command before, neither packet tracer permit me a simulation, so no refound if don't work correctly! ;)

Best Answer

Related Solutions

Cisco – Placement of firewall for VPN RA and L2L tunnels

Routing – How to use secondary internet exclusively for one host

Related Topic