Is there documentation somewhere that states how many users can run behind pat? I've got between 300 - 1000 at any one time that can be on, and currently I'm using the interface address on the asa to do this with. I was wondering if I needed to set aside a couple more addresses to go out on, or if I should be okay with this many users. It's a 5550.
As you know PAT uses the port number in addition to changing the IP address to hide the private address.
The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.
It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.
If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.