PAT - Maximum number of translations

Unanswered Question
Aug 23rd, 2007
User Badges:
  • Bronze, 100 points or more

I don't know the maximum of translation slots available when PAT is used


1) PAT uses the high ports for translations; therefore the available translation slots per IP are calculated


via 65536-1024 = 64512.

2) Almost unlimited as a hash value is used to identify the translation instead of using the TCP port. The


hash value is calculated using the source port and IP address as well as destination port and IP address,


this will allow to have more that 65000 connection with one IP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hsajwan Thu, 08/23/2007 - 13:22
User Badges:

Hey, where did you get the second point from. This is wrong. First one is correct, however, let me give you some more details here:


The firewall, when translating port for NAT overload, splits the available ports into

three pools:


Low: 0-511

Mid: 512-1023

High: 1024-65535


If a packet inside you network comes into the Firewall destined for the Internet, and it

source port falls into one of those pool, the PIX will translate it to another port in

that pool. When the Firewall first starts translating addresses, it starts with the lowest port number in each pool. That means the first UDP packet sourced internally from a high port will get sent on the Internet with a new source port of 1024.


The next UDP high port translation will go out with a source port of 1025, so on and so

forth.


I hope you find the above information useful. Here's a good link for you where you can find some more details on this question:


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa13



Actions

This Discussion