Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5520 Nat translation Max

Hello,
I am going with ASA 5520, Can any 1 help me to know how many NAT translation is possible.
3 REPLIES

Re: Cisco ASA 5520 Nat translation Max

Hi Bro

The Firewall, when translating for NAT overload (or PAT), splits the available ports into three pools:

Low: 0-511

Mid: 512-1023

High: 1024-65535

When the Firewall initially starts to perform port translation, it begins with the lowest port number in each pool. This means the first packet sourced internally from a high port will be sent to the Internet could with a new source port of 1024. The next high port translation will go out with a source port of 1025, so on and so forth.

Here's a link to a Cisco document where you can find more about this;

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa13

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department

Cisco ASA 5520 Nat translation Max

Hi Manoharan,

Your questions is bit intresting and tough one to answer.

Typically for the dynamic NAT If you use access-list then 65535 is the limit. If other case of dynamic NAT is having the limit which is of huge range like 21474836478 is the limit where you can create nat and global commands.

When it comes for static NAT i guess that also has the same limit as such 65535.

Lets see what other experts say for this query.

Please do rate if the given information helps.

By

Karthik

Bronze

Better late than never ;)

Better late than never ;)

There is document http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/nat-rules.html#40794 saying that 

-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.

So maximum number of NAT (in my exmaple PAT) translations depends on available memory, CPU speed and actual configuration of the ASA. In other words, there is no 65535 maximum.

3559
Views
0
Helpful
3
Replies
CreatePlease to create content