Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
3
Replies

Using PAT for many users

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-27-2009 05:49 AM - edited ‎03-11-2019 08:24 AM

All,

Is there documentation somewhere that states how many users can run behind pat? I've got between 300 - 1000 at any one time that can be on, and currently I'm using the interface address on the asa to do this with. I was wondering if I needed to set aside a couple more addresses to go out on, or if I should be okay with this many users. It's a 5550.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-27-2009 06:26 AM

John

As you know PAT uses the port number in addition to changing the IP address to hide the private address.

The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.

It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.

If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-27-2009 06:26 AM

John

As you know PAT uses the port number in addition to changing the IP address to hide the private address.

The port field in the IP header is a 16bit unsigned integer. This means the value of the port field can be 0 -> 65535. Take away the ports between 0 and 1024 and you still have an awful lot of port numbers.

It's not quite as simple as that as a single user may generate a large number of PAT translations depending on the application and how it works. But i would think you should be okay as i have run far more than 1000 users through a firewall with a single IP address.

If the firewall does run out it should tell you anyway by reporting that it has no available xlate for the connection.

Jon

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎04-27-2009 06:30 AM

Thanks Jon! Well, I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night. I was very pleased with the way it went. :-)

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to John Blakley

‎04-27-2009 06:32 AM

John

"I have to tell you that our first test for the firewall replacement, replacing the Symantec with the ASA, went 99% flawlessly on Friday night"

That's very impressive as translating configs between different vendor firewalls is never easy. Glad to hear it went so well, with the added bonus that you now know a whole lot more about Cisco ASA's :-)

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card