Using PAT for many users

Answered Question
Apr 27th, 2009
User Badges:
  • Purple, 4500 points or more

All,


Is there documentation somewhere that states how many users can run behind pat? I've got between 300 - 1000 at any one time that can be on, and currently I'm using the interface address on the asa to do this with. I was wondering if I needed to set aside a couple more addresses to go out on, or if I should be okay with this many users. It's a 5550.


Thanks,

John

Correct Answer by Jon Marshall about 8 years 3 months ago

John


As you know PAT uses the port number in addition to changing the IP address to hide the private address.


The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.


It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.


If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 04/27/2009 - 06:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


As you know PAT uses the port number in addition to changing the IP address to hide the private address.


The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.


It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.


If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.


Jon

John Blakley Mon, 04/27/2009 - 06:30
User Badges:
  • Purple, 4500 points or more

Thanks Jon! Well, I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night. I was very pleased with the way it went. :-)


John

Jon Marshall Mon, 04/27/2009 - 06:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


"I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night"


That's very impressive as translating configs between different vendor firewalls is never easy. Glad to hear it went so well, with the added bonus that you now know a whole lot more about Cisco ASA's :-)


Jon

Actions

This Discussion